W3C home > Mailing lists > Public > public-webappsec@w3.org > April 2015

Re: [CSP2] Number of CSP Header Fields

From: Mike West <mkwst@google.com>
Date: Fri, 3 Apr 2015 11:09:25 +0200
Message-ID: <CAKXHy=cgBkCjqmCXOXi-k4rkhAwWvDWSzQiWSpXqnJFS9XRY5A@mail.gmail.com>
To: Stefan Ossendorf <stefan.ossendorf@outlook.de>
Cc: "public-webappsec@w3.org" <public-webappsec@w3.org>
Hi Stefan!

On Thu, Apr 2, 2015 at 11:06 PM, Stefan Ossendorf <
stefan.ossendorf@outlook.de> wrote:

> Hello,
>
>
>
> I have a question about the Header Field.
>
> I’m referring to
> http://www.w3.org/TR/CSP2/#content-security-policy-header-field
>
>
>
> First statement:
>
> “A server MUST NOT send more than one HTTP header field named
> Content-Security-Policy with a given resource representation.”
>
>
>
> According to RFC 2119 (https://www.ietf.org/rfc/rfc2119.txt) it’s
> prohibited to send more than one header field.
>
> But the last statement says:
>
> “Upon receiving an HTTP response containing at least one
> Content-Security-Policy header field, the user agent MUST enforce each of
> the policies contained in each such header field.”
>
>
>
> At least one? The first statement is really clear?
>

1. Servers don't always do what they must, so we need to define error
handling in a sane way. :)

2. A single `Content-Security-Policy` header can contain multiple policies,
separated by commas.

-mike

--
Mike West <mkwst@google.com>, @mikewest

Google Germany GmbH, Dienerstrasse 12, 80331 München,
Germany, Registergericht und -nummer: Hamburg, HRB 86891, Sitz der
Gesellschaft: Hamburg, Geschäftsführer: Graham Law, Christine Elizabeth
Flores
(Sorry; I'm legally required to add this exciting detail to emails. Bleh.)
Received on Friday, 3 April 2015 09:10:13 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 14:54:11 UTC