[CSP] different perspective on Report-Only


following the excellent talk https://www.youtube.com/watch?v=pocsv39pNXA by Adam Barth, CSP supports setting multiple policies (i.e. multiple Content-Security-Policy headers) in a response, which then all must be fulfilled. One reason for this principle as mentioned in the talk is that an attacker might somehow be able to add his own CSP header to the response, however without replacing existing headers coming from the server. In this case the attack does not open up security, because additional Content-Security-Policy headers can only introduce more restrictions.

Having said that, the header Content-Security-Policy-Report-Only could be considered by an attacker to add, to open up security.

Right now I am not sure if this could be an issue.

If any Content-Security-Policy headers have precedence over any Content-Security-Policy-Report-Only headers, the attacker would still not be able to open up security in the above mentioned way. Actually, I expect it to work like that. This should be mentioned in the section http://www.w3.org/TR/CSP2/#content-security-policy-report-only

Kind Regards,

Sven Ludwig
Senacor Technologies AG
Joseph-Schumpeter-Allee 1
53227 Bonn

T +49 (228) 7636 - 204
F +49 (228) 7636 - 100
M +49 (172) 81 40 733


Senacor Technologies Aktiengesellschaft - Sitz: Schwaig b. Nbg. - Amtsgericht Nbg.- Reg.-Nr.: HRB 23098
Vorstand: Matthias Tomann, Marcus Purzer - Aufsichtsratsvorsitzender: Mathias J. Lindermeir

Diese E-Mail inklusive Anlagen enth?lt vertrauliche und/oder rechtlich gesch?tzte Informationen. Wenn Sie
nicht der richtige Adressat sind oder diese E-Mail irrt?mlich erhalten, informieren Sie bitte den  Absender
und vernichten Sie diese E-Mail. Das unerlaubte Kopieren sowie die unbefugte Weitergabe dieser  E-Mail ist
nicht gestattet.

This e-mail including any attachments may contain confidential and/or privileged information. If you are
not the intended recipient (or have received this e-mail in error) please notify the sender immediately and
destroy this e-mail. Any unauthorized copying, disclosure or distribution of the materials in this e-mail is
strictly forbidden.

Received on Saturday, 27 December 2014 16:37:00 UTC