Re: [CSP2] Number of CSP Header Fields from Brian Smith on 2015-04-04 (public-webappsec@w3.org from April 2015)

From: Brian Smith <brian@briansmith.org>
Date: Fri, 3 Apr 2015 18:24:24 -1000
To: Martin Thomson <martin.thomson@gmail.com>
Cc: Mike West <mkwst@google.com>, Anne van Kesteren <annevk@annevk.nl>, Stefan Ossendorf <stefan.ossendorf@outlook.de>, "public-webappsec@w3.org" <public-webappsec@w3.org>
Message-ID: <CAFewVt7ur8k_-Ra1JpPaNxsqMePcK0gYO8VmgkisJ3Hwph7yag@mail.gmail.com>

Martin Thomson <martin.thomson@gmail.com> wrote:
> On 3 April 2015 at 06:47, Mike West <mkwst@google.com> wrote:
>> Right. This is what I meant. Multiple policies can be concatenated into a
>> single, comma-separated header.
>
> Well, isn't that just a single policy then?

No. Every comma delimits a separate policy. There are specific rules
for combining multiple policies together. "script-src: x, script-src:
y" means something much different from "script-src: x; script-src y"
which means something much different from "script-src: x y".

Cheers,
Brian

Received on Saturday, 4 April 2015 04:24:54 UTC