- From: Daniel Veditz <dveditz@mozilla.com>
- Date: Tue, 08 Jan 2013 09:25:07 -0800
- To: Yoav Weiss <yoav@yoav.ws>
- CC: "public-webappsec@w3.org" <public-webappsec@w3.org>
On 1/8/2013 7:55 AM, Yoav Weiss wrote: > That raises a couple of questions: 1. How does the specification deal > with delimiting commas (and the lack of delimiting semi-colons)? 2. > Do several CSP headers create a single CSP policy, or multiple ones? The spec doesn't seem to say what to do in that case. The Mozilla implementation first splits the header(s) on commas to reconstruct the assumed-merged multiple headers before applying the parsing rules for individual headers. > the merged CSP header, assuming it will become valid(e.g. by allowing > delimiting commas), will ignore the second script-src directive. Taken literally the existing spec would treat that as a single badly-formed script-src directive that included the hosts "default-src" and "script-src". Splitting merged headers on comma seems to be assumed. -Dan Veditz
Received on Tuesday, 8 January 2013 17:25:41 UTC