W3C home > Mailing lists > Public > public-webappsec@w3.org > April 2015

Re: [CSP2] Number of CSP Header Fields

From: Oda, Terri <terri.oda@intel.com>
Date: Mon, 6 Apr 2015 10:38:59 -0700
Message-ID: <CACoC0R8p1EwhA1wsTqHWx9g=L==3pqxLO8mUiwp9dSAZk3Jzqw@mail.gmail.com>
To: Stefan Ossendorf <stefan.ossendorf@outlook.de>
Cc: Martin Thomson <martin.thomson@gmail.com>, Mike West <mkwst@google.com>, Anne van Kesteren <annevk@annevk.nl>, "public-webappsec@w3.org" <public-webappsec@w3.org>
I believe the prohibition for multiple headers was probably to avoid
attacker-injected CSP headers.

On Fri, Apr 3, 2015 at 10:25 AM, Stefan Ossendorf <
stefan.ossendorf@outlook.de> wrote:

> I think he mean "multiple policy header" are only one policy.
>
> My question is: Why is it prohibited with the first statement when it's
> irrelevant?
>
> -----Urspr√ľngliche Nachricht-----
> Von: Martin Thomson [mailto:martin.thomson@gmail.com]
> Gesendet: Freitag, 3. April 2015 19:02
> An: Mike West
> Cc: Anne van Kesteren; Stefan Ossendorf; public-webappsec@w3.org
> Betreff: Re: [CSP2] Number of CSP Header Fields
>
> On 3 April 2015 at 06:47, Mike West <mkwst@google.com> wrote:
> > Right. This is what I meant. Multiple policies can be concatenated
> > into a single, comma-separated header.
>
> Well, isn't that just a single policy then?
>
>
>
Received on Monday, 6 April 2015 17:39:27 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 14:54:12 UTC