- From: Mike West <mkwst@google.com>
- Date: Fri, 3 Apr 2015 11:09:25 +0200
- To: Stefan Ossendorf <stefan.ossendorf@outlook.de>
- Cc: "public-webappsec@w3.org" <public-webappsec@w3.org>
- Message-ID: <CAKXHy=cgBkCjqmCXOXi-k4rkhAwWvDWSzQiWSpXqnJFS9XRY5A@mail.gmail.com>
Hi Stefan! On Thu, Apr 2, 2015 at 11:06 PM, Stefan Ossendorf < stefan.ossendorf@outlook.de> wrote: > Hello, > > > > I have a question about the Header Field. > > I’m referring to > http://www.w3.org/TR/CSP2/#content-security-policy-header-field > > > > First statement: > > “A server MUST NOT send more than one HTTP header field named > Content-Security-Policy with a given resource representation.” > > > > According to RFC 2119 (https://www.ietf.org/rfc/rfc2119.txt) it’s > prohibited to send more than one header field. > > But the last statement says: > > “Upon receiving an HTTP response containing at least one > Content-Security-Policy header field, the user agent MUST enforce each of > the policies contained in each such header field.” > > > > At least one? The first statement is really clear? > 1. Servers don't always do what they must, so we need to define error handling in a sane way. :) 2. A single `Content-Security-Policy` header can contain multiple policies, separated by commas. -mike -- Mike West <mkwst@google.com>, @mikewest Google Germany GmbH, Dienerstrasse 12, 80331 München, Germany, Registergericht und -nummer: Hamburg, HRB 86891, Sitz der Gesellschaft: Hamburg, Geschäftsführer: Graham Law, Christine Elizabeth Flores (Sorry; I'm legally required to add this exciting detail to emails. Bleh.)
Received on Friday, 3 April 2015 09:10:13 UTC