Re: CSP 1.0

I'm having trouble reconciling 2 and 3 (text below with minor deletions)

On 5/7/12 1:54 AM, Adam Barth wrote:
> 2) Somewhat more controversially, I've changed the behavior when the
> user agent receives more than one policy.  At the face-to-face, we
> discussed having the user agent enforce a policy of default-src 'none'
> in this case, but during the test jam, I realized that user agents are
> going to need to implement policy combination anyway to deal with
> vendor prefixes.
> 
> 3) As discussed at the face-to-face, the spec now requires user agents
> to enforce the policy default-src 'none' if they encounter a CSP
> policy with a comma:
> 
> Such a policy is likely the result of network intermediaries mangling
> the policy.

A policy with a comma is more likely the result of a network
combining two separate policies according to the HTTP spec. If we're
OK combining headers when received separately--which I am!--why
punish sites if a proxy takes what would be an acceptable set of
headers and transforms them in a predictable way?

It would be more consistent to specify that headers should be split
on commas and then combined as in 2).  Saying that both cases should
be default-src 'none' would be equally consistent, but might
discourage adoption of CSP if sites broke unpredictably.

-Dan Veditz

Received on Tuesday, 8 May 2012 01:26:20 UTC