Enforce every policy received, but still forbid servers from sending more than one.
authorAdam Barth <w3c@adambarth.com>
Sun, 06 May 2012 23:35:43 -0700
changeset 10096603653094a
parent 99 eea1c214cc85
child 101 7e995988d564
Enforce every policy received, but still forbid servers from sending more than one.
csp-specification.dev.html
     1.1 --- a/csp-specification.dev.html	Sun May 06 23:24:07 2012 -0700
     1.2 +++ b/csp-specification.dev.html	Sun May 06 23:35:43 2012 -0700
     1.3 @@ -261,16 +261,19 @@
     1.4  
     1.5            <p>A server MUST NOT send more than one HTTP header field named
     1.6            <code>Content-Security-Policy</code> with a given resource
     1.7 -          representation.  A server MAY send different
     1.8 -          <code>Content-Security-Policy</code> header field values with
     1.9 -          different representations of the same resource or with different
    1.10 -          resources.</p>
    1.11 +          representation. Sending multiple <code>Content-Security-Policy</code>
    1.12 +          header fields in single HTTP response is unreliable because network
    1.13 +          intermediaries might combine multiple header fields into one,
    1.14 +          corrupting the policy.</p>
    1.15 +
    1.16 +          <p>A server MAY send different <code>Content-Security-Policy</code>
    1.17 +          header field values with different representations of the same
    1.18 +          resource or with different resources.</p>
    1.19  
    1.20            <p>Upon receiving an HTTP response containing at least one
    1.21            <code>Content-Security-Policy</code> header field, the user agent
    1.22 -          MUST <a href="#enforce">enforce</a> the policy contained in the
    1.23 -          <em>first</em> such header field. The user agent MUST ignore
    1.24 -          subsequent such header fields.</p>
    1.25 +          MUST <a href="#enforce">enforce</a> each of the policies contained
    1.26 +          in each such header field.</p>
    1.27          </section>
    1.28  
    1.29          <section>
    1.30 @@ -295,16 +298,21 @@
    1.31  
    1.32            <p>A server MUST NOT send more than one HTTP header field named
    1.33            <code>Content-Security-Policy-Report-Only</code> with a given
    1.34 -          resource representation.  A server MAY send different
    1.35 +          resource representation. Sending multiple
    1.36 +          <code>Content-Security-Policy-Report-Only</code> header fields
    1.37 +          in single HTTP response is unreliable because network
    1.38 +          intermediaries might combine multiple header fields into one,
    1.39 +          corrupting the policy.<p>
    1.40 +
    1.41 +          <p>A server MAY send different
    1.42            <code>Content-Security-Policy-Report-Only</code> header field values
    1.43            with different representations of the same resource or with different
    1.44            resources.</p>
    1.45  
    1.46            <p>Upon receiving an HTTP response containing at least one
    1.47            <code>Content-Security-Policy-Report-Only</code> header field, the
    1.48 -          user agent MUST <a href="#monitor">monitor</a> the policy contained
    1.49 -          in the <em>first</em> such header field. The user agent MUST ignore
    1.50 -          subsequent such header fields.</p>
    1.51 +          user agent MUST <a href="#monitor">monitor</a> each of the policies
    1.52 +          contained in each such header field.</p>
    1.53  
    1.54            <p>A server MAY monitor one policy while enforcing another policy.
    1.55            For example, if a server operator is using one policy but wishes to