Re: CSP 1.0 from Adam Barth on 2012-05-08 (public-webappsec@w3.org from May 2012)

From: Adam Barth <w3c@adambarth.com>
Date: Tue, 8 May 2012 12:41:59 -0700
To: Daniel Veditz <dveditz@mozilla.com>
Cc: public-webappsec@w3.org
Message-ID: <CAJE5ia8_mrHZ6bKMfDtROnSc82Z7DwJWAuJZq3fPn_B2ctkmaA@mail.gmail.com>

On Tue, May 8, 2012 at 10:51 AM, Daniel Veditz <dveditz@mozilla.com> wrote:
> On 5/7/12 6:37 PM, Adam Barth wrote:
>> IMHO, this question boils down to whether servers are permitted to
>> send multiple Content-Security-Policy header fields.  Currently the
>> spec forbids them from doing so.  If we did permit servers to send
>> multiple Content-Security-Policy header fields, then I'd agree with
>> you that splitting on "," and enforcing both policies would make
>> sense.  (Note: The spec does instruct user agents how to behave if
>> they do receive multiple Content-Security-Policy header fields, but
>> that's a separate concern.)
>
> How can it be a separate concern? If the server is forbidden from
> sending a second header where did the second header that the spec
> instructs the UA to handle come from?

There are a number of possibilities:

1) A server misconfiguration
2) An attacker
3) An intermediary messing around with headers
4) A browser extension messing around with headers

In the same way that the following is invalid HTML, the HTML parsing
spec still explains what to do with it:

<b>The <i>quick</b> brown</i> fox.

> If a proxy has combined two
> headers (as evidenced by a comma) how do we know the extra one
> wasn't one of these apparently legitimate ones?

According to the spec, currently, it's not legitimate to include more
than one header.

> If servers are forbidden from sending two headers then two headers
> may be a sign of an attack, justifying a hard-line response (no
> combining, comma equals death).

Enforcing both policies seems like a reasonable fail-safe response to an attack.

> If it's at all reasonable to combine
> headers why is one kind of combining OK and the other not?

I don't have strong feelings about it.  If you'd like to split headers
on "," and combine the policies, we can do that.  It just seems like
if we do that, we should permit servers to send multiple headers.

> I personally prefer combining and I can live with a hard-line "only
> one header" rule, but I don't like an inconsistent mix of the two.

Makes sense.

Adam

Received on Tuesday, 8 May 2012 19:43:01 UTC