On 2013-01-08 16:55, Yoav Weiss wrote: > Since section 3.1.1 permits sending multiple CSP headers, according to > RFC 2616 (http://www.w3.org/Protocols/rfc2616/rfc2616-sec4.html#sec4.2), > the following should be semantically equivalent: > Content-Security-Policy: script-src http://bla.com > Content-Security-Policy: default-src http://bla.org > Content-Security-Policy: script-src http://bla.com/blabla > and > Content-Security-Policy: script-src http://bla.com, default-src > http://bla.org, script-src http://bla.com/blabla > > Such HTTP header merging can be done by an HTTP proxy. > > That raises a couple of questions: > 1. How does the specification deal with delimiting commas (and the lack > of delimiting semi-colons)? ...and, even worse, "," is an allowed character in URIs... > 2. Do several CSP headers create a single CSP policy, or multiple ones? > > From sections 3.1.1 and 3.2.1, I understand that each HTTP header > creates a separate CSP policy, and a delimiting semi-colon must be present. > > If I understand correctly, while the 3 separate CSP headers create 3 CSP > policies which will be applied with an "and" relationship, the merged > CSP header, assuming it will become valid(e.g. by allowing delimiting > commas), will ignore the second script-src directive. > > That means that HTTP header merging will lead to different policies > being applied. > > Am I missing something? > > YoavReceived on Tuesday, 8 January 2013 16:13:45 UTC
This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 14:54:00 UTC