Re: CSP and comma-separated directives from Yoav Weiss on 2013-01-09 (public-webappsec@w3.org from January 2013)

From: Yoav Weiss <yoav@yoav.ws>
Date: Wed, 9 Jan 2013 10:07:29 +0100
To: Adam Barth <w3c@adambarth.com>
Cc: "public-webappsec@w3.org" <public-webappsec@w3.org>
Message-ID: <CACj=BEjwRrGwyKyKt+MpyD5+BXBSVfnL_XwCt880x3VN1YjopA@mail.gmail.com>

OK, so the sentence "This document also uses the ABNF extension "#rule" as
defined in HTTP 1.1." (and the extension itself) is what I missed.

Thanks!


On Tue, Jan 8, 2013 at 11:36 PM, Adam Barth <w3c@adambarth.com> wrote:

> The header is first split on , and then each of the comma-separated
> values are interpreted as if they were sent in separate
> Content-Security-Policy headers:
>
>
> https://dvcs.w3.org/hg/content-security-policy/raw-file/tip/csp-specification.dev.html#content-security-policy-header-field
>
> "Content-Security-Policy:" 1#policy
>
> The 1#policy means 1 or more comma separated policies.
>
> Adam
>
>
> On Tue, Jan 8, 2013 at 7:55 AM, Yoav Weiss <yoav@yoav.ws> wrote:
> > Since section 3.1.1 permits sending multiple CSP headers, according to
> RFC
> > 2616 (http://www.w3.org/Protocols/rfc2616/rfc2616-sec4.html#sec4.2), the
> > following should be semantically equivalent:
> >     Content-Security-Policy: script-src http://bla.com
> >     Content-Security-Policy: default-src http://bla.org
> >     Content-Security-Policy: script-src http://bla.com/blabla
> > and
> >     Content-Security-Policy: script-src http://bla.com, default-src
> > http://bla.org, script-src http://bla.com/blabla
> >
> > Such HTTP header merging can be done by an HTTP proxy.
> >
> > That raises a couple of questions:
> > 1. How does the specification deal with delimiting commas (and the lack
> of
> > delimiting semi-colons)?
> > 2. Do several CSP headers create a single CSP policy, or multiple ones?
> >
> > From sections 3.1.1 and 3.2.1, I understand that each HTTP header
> creates a
> > separate CSP policy, and a delimiting semi-colon must be present.
> >
> > If I understand correctly, while the 3 separate CSP headers create 3 CSP
> > policies which will be applied with an "and" relationship, the merged CSP
> > header, assuming it will become valid(e.g. by allowing delimiting
> commas),
> > will ignore the second script-src directive.
> >
> > That means that HTTP header merging will lead to different policies being
> > applied.
> >
> > Am I missing something?
> >
> > Yoav
>

Received on Wednesday, 9 January 2013 09:07:58 UTC