- From: Daniel Veditz <dveditz@mozilla.com>
- Date: Mon, 07 May 2012 18:25:36 -0700
- To: Adam Barth <w3c@adambarth.com>
- CC: public-webappsec@w3.org
I'm having trouble reconciling 2 and 3 (text below with minor deletions) On 5/7/12 1:54 AM, Adam Barth wrote: > 2) Somewhat more controversially, I've changed the behavior when the > user agent receives more than one policy. At the face-to-face, we > discussed having the user agent enforce a policy of default-src 'none' > in this case, but during the test jam, I realized that user agents are > going to need to implement policy combination anyway to deal with > vendor prefixes. > > 3) As discussed at the face-to-face, the spec now requires user agents > to enforce the policy default-src 'none' if they encounter a CSP > policy with a comma: > > Such a policy is likely the result of network intermediaries mangling > the policy. A policy with a comma is more likely the result of a network combining two separate policies according to the HTTP spec. If we're OK combining headers when received separately--which I am!--why punish sites if a proxy takes what would be an acceptable set of headers and transforms them in a predictable way? It would be more consistent to specify that headers should be split on commas and then combined as in 2). Saying that both cases should be default-src 'none' would be equally consistent, but might discourage adoption of CSP if sites broke unpredictably. -Dan Veditz
Received on Tuesday, 8 May 2012 01:26:20 UTC