Re: CSP and comma-separated directives

On 1/8/2013 7:55 AM, Yoav Weiss wrote:
> That raises a couple of questions: 1. How does the specification deal
> with delimiting commas (and the lack of delimiting semi-colons)? 2.
> Do several CSP headers create a single CSP policy, or multiple ones?

The spec doesn't seem to say what to do in that case. The Mozilla
implementation first splits the header(s) on commas to reconstruct the
assumed-merged multiple headers before applying the parsing rules for
individual headers.

> the merged CSP header, assuming it will become valid(e.g. by allowing
> delimiting commas), will ignore the second script-src directive.

Taken literally the existing spec would treat that as a single 
badly-formed script-src directive that included the hosts "default-src" 
and "script-src". Splitting merged headers on comma seems to be assumed.

-Dan Veditz

Received on Tuesday, 8 January 2013 17:25:41 UTC