- From: Adam Barth <w3c@adambarth.com>
- Date: Mon, 7 May 2012 18:37:21 -0700
- To: Daniel Veditz <dveditz@mozilla.com>
- Cc: public-webappsec@w3.org
On Mon, May 7, 2012 at 6:25 PM, Daniel Veditz <dveditz@mozilla.com> wrote: > I'm having trouble reconciling 2 and 3 (text below with minor deletions) > > On 5/7/12 1:54 AM, Adam Barth wrote: >> 2) Somewhat more controversially, I've changed the behavior when the >> user agent receives more than one policy. At the face-to-face, we >> discussed having the user agent enforce a policy of default-src 'none' >> in this case, but during the test jam, I realized that user agents are >> going to need to implement policy combination anyway to deal with >> vendor prefixes. >> >> 3) As discussed at the face-to-face, the spec now requires user agents >> to enforce the policy default-src 'none' if they encounter a CSP >> policy with a comma: >> >> Such a policy is likely the result of network intermediaries mangling >> the policy. > > A policy with a comma is more likely the result of a network > combining two separate policies according to the HTTP spec. If we're > OK combining headers when received separately--which I am!--why > punish sites if a proxy takes what would be an acceptable set of > headers and transforms them in a predictable way? > > It would be more consistent to specify that headers should be split > on commas and then combined as in 2). Saying that both cases should > be default-src 'none' would be equally consistent, but might > discourage adoption of CSP if sites broke unpredictably. IMHO, this question boils down to whether servers are permitted to send multiple Content-Security-Policy header fields. Currently the spec forbids them from doing so. If we did permit servers to send multiple Content-Security-Policy header fields, then I'd agree with you that splitting on "," and enforcing both policies would make sense. (Note: The spec does instruct user agents how to behave if they do receive multiple Content-Security-Policy header fields, but that's a separate concern.) Adam
Received on Tuesday, 8 May 2012 01:38:23 UTC