W3C home > Mailing lists > Public > public-webappsec@w3.org > April 2015

[CSP2] Number of CSP Header Fields

From: Stefan Ossendorf <stefan.ossendorf@outlook.de>
Date: Thu, 2 Apr 2015 23:06:38 +0200
Message-ID: <DUB113-DS21584504BA9DF95115C9FE2F20@phx.gbl>
To: <public-webappsec@w3.org>
Hello,

 

I have a question about the Header Field.

I'm referring to
http://www.w3.org/TR/CSP2/#content-security-policy-header-field

 

First statement:

"A server MUST NOT send more than one HTTP header field named
Content-Security-Policy with a given resource representation."

 

According to RFC 2119 (https://www.ietf.org/rfc/rfc2119.txt) it's prohibited
to send more than one header field.

But the last statement says:

"Upon receiving an HTTP response containing at least one
Content-Security-Policy header field, the user agent MUST enforce each of
the policies contained in each such header field."

 

At least one? The first statement is really clear?

 

 

Thank you

Stefan Ossendorf
Received on Thursday, 2 April 2015 21:07:07 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 14:54:11 UTC