Re: CSP 1.0

On Mon, May 7, 2012 at 6:25 PM, Daniel Veditz <dveditz@mozilla.com> wrote:
> I'm having trouble reconciling 2 and 3 (text below with minor deletions)
>
> On 5/7/12 1:54 AM, Adam Barth wrote:
>> 2) Somewhat more controversially, I've changed the behavior when the
>> user agent receives more than one policy.  At the face-to-face, we
>> discussed having the user agent enforce a policy of default-src 'none'
>> in this case, but during the test jam, I realized that user agents are
>> going to need to implement policy combination anyway to deal with
>> vendor prefixes.
>>
>> 3) As discussed at the face-to-face, the spec now requires user agents
>> to enforce the policy default-src 'none' if they encounter a CSP
>> policy with a comma:
>>
>> Such a policy is likely the result of network intermediaries mangling
>> the policy.
>
> A policy with a comma is more likely the result of a network
> combining two separate policies according to the HTTP spec. If we're
> OK combining headers when received separately--which I am!--why
> punish sites if a proxy takes what would be an acceptable set of
> headers and transforms them in a predictable way?
>
> It would be more consistent to specify that headers should be split
> on commas and then combined as in 2).  Saying that both cases should
> be default-src 'none' would be equally consistent, but might
> discourage adoption of CSP if sites broke unpredictably.

IMHO, this question boils down to whether servers are permitted to
send multiple Content-Security-Policy header fields.  Currently the
spec forbids them from doing so.  If we did permit servers to send
multiple Content-Security-Policy header fields, then I'd agree with
you that splitting on "," and enforcing both policies would make
sense.  (Note: The spec does instruct user agents how to behave if
they do receive multiple Content-Security-Policy header fields, but
that's a separate concern.)

Adam

Received on Tuesday, 8 May 2012 01:38:23 UTC