- From: Daniel Veditz <dveditz@mozilla.com>
- Date: Tue, 08 May 2012 10:51:21 -0700
- To: Adam Barth <w3c@adambarth.com>
- CC: public-webappsec@w3.org
On 5/7/12 6:37 PM, Adam Barth wrote: > IMHO, this question boils down to whether servers are permitted to > send multiple Content-Security-Policy header fields. Currently the > spec forbids them from doing so. If we did permit servers to send > multiple Content-Security-Policy header fields, then I'd agree with > you that splitting on "," and enforcing both policies would make > sense. (Note: The spec does instruct user agents how to behave if > they do receive multiple Content-Security-Policy header fields, but > that's a separate concern.) How can it be a separate concern? If the server is forbidden from sending a second header where did the second header that the spec instructs the UA to handle come from? If a proxy has combined two headers (as evidenced by a comma) how do we know the extra one wasn't one of these apparently legitimate ones? If servers are forbidden from sending two headers then two headers may be a sign of an attack, justifying a hard-line response (no combining, comma equals death). If it's at all reasonable to combine headers why is one kind of combining OK and the other not? I personally prefer combining and I can live with a hard-line "only one header" rule, but I don't like an inconsistent mix of the two. -Dan Veditz
Received on Tuesday, 8 May 2012 17:52:04 UTC