Allow servers to send multiple Content-Security-Policy headers.
authorAdam Barth <w3c@adambarth.com>
Fri, 18 May 2012 12:25:50 -0700
changeset 116f0931d0ab6eb
parent 115 98686787971c
child 117 92b2fc38ee2e
Allow servers to send multiple Content-Security-Policy headers.
csp-1.0-specification.html
csp-specification.dev.html
     1.1 --- a/csp-1.0-specification.html	Fri May 18 12:10:34 2012 -0700
     1.2 +++ b/csp-1.0-specification.html	Fri May 18 12:25:50 2012 -0700
     1.3 @@ -217,21 +217,6 @@
     1.4          <code>ALPHA</code> (letters), <code>DIGIT</code> (decimal
     1.5          0-9), <code>WSP</code> (white space) and <code>VCHAR</code> (printing
     1.6          characters).</p>
     1.7 -
     1.8 -        <p>The OWS rule is used where zero or more linear whitespace octets
     1.9 -        might appear.  OWS SHOULD either not be produced or be produced as a
    1.10 -        single SP.  Multiple OWS octets that occur within field-content SHOULD
    1.11 -        either be replaced with a single SP or transformed to all SP octets
    1.12 -        (each octet other than SP replaced with SP) before interpreting the
    1.13 -        field value or forwarding the message downstream.<p>
    1.14 -
    1.15 -<pre>
    1.16 -OWS            = *( SP / HTAB / obs-fold )
    1.17 -               ; "optional" whitespace
    1.18 -obs-fold       = CRLF ( SP / HTAB )
    1.19 -               ; obsolete line folding
    1.20 -</pre>
    1.21 -
    1.22        </section>
    1.23      </section>
    1.24  
    1.25 @@ -256,15 +241,12 @@
    1.26            preferred mechanism for delivering a CSP policy.</p>
    1.27  
    1.28  <pre>
    1.29 -"Content-Security-Policy:" OWS policy OWS
    1.30 +"Content-Security-Policy:" 1#policy
    1.31  </pre>
    1.32  
    1.33 -          <p>A server MUST NOT send more than one HTTP header field named
    1.34 +          <p>A server MAY send more than one HTTP header field named
    1.35            <code>Content-Security-Policy</code> with a given resource
    1.36 -          representation. Sending multiple <code>Content-Security-Policy</code>
    1.37 -          header fields in single HTTP response is unreliable because network
    1.38 -          intermediaries might combine multiple header fields into one,
    1.39 -          corrupting the policy.</p>
    1.40 +          representation.</p>
    1.41  
    1.42            <p>A server MAY send different <code>Content-Security-Policy</code>
    1.43            header field values with different representations of the same
    1.44 @@ -284,7 +266,7 @@
    1.45            enforcing) a policy.</p>
    1.46  
    1.47  <pre>
    1.48 -"Content-Security-Policy-Report-Only:" OWS policy OWS
    1.49 +"Content-Security-Policy-Report-Only:" 1#policy
    1.50  </pre>
    1.51  
    1.52            <p>For example, a server operators might wish to develop their
    1.53 @@ -296,13 +278,9 @@
    1.54            they start enforcing the policy using the
    1.55            <code>Content-Security-Policy</code> header field.</p>
    1.56  
    1.57 -          <p>A server MUST NOT send more than one HTTP header field named
    1.58 +          <p>A server MAY send more than one HTTP header field named
    1.59            <code>Content-Security-Policy-Report-Only</code> with a given
    1.60 -          resource representation. Sending multiple
    1.61 -          <code>Content-Security-Policy-Report-Only</code> header fields
    1.62 -          in single HTTP response is unreliable because network
    1.63 -          intermediaries might combine multiple header fields into one,
    1.64 -          corrupting the policy.<p>
    1.65 +          resource representation.<p>
    1.66  
    1.67            <p>A server MAY send different
    1.68            <code>Content-Security-Policy-Report-Only</code> header field values
    1.69 @@ -318,7 +296,7 @@
    1.70            For example, if a server operator is using one policy but wishes to
    1.71            experiment with a stricter policy, the server operator can monitor
    1.72            the stricter policy while enforcing the original policy. Once the
    1.73 -          server operator is satified that the stricter policy does not break
    1.74 +          server operator is satisfied that the stricter policy does not break
    1.75            the web application, the server operator can start enforcing the
    1.76            stricter policy.</p>
    1.77          </section>
     2.1 --- a/csp-specification.dev.html	Fri May 18 12:10:34 2012 -0700
     2.2 +++ b/csp-specification.dev.html	Fri May 18 12:25:50 2012 -0700
     2.3 @@ -217,21 +217,6 @@
     2.4          <code>ALPHA</code> (letters), <code>DIGIT</code> (decimal
     2.5          0-9), <code>WSP</code> (white space) and <code>VCHAR</code> (printing
     2.6          characters).</p>
     2.7 -
     2.8 -        <p>The OWS rule is used where zero or more linear whitespace octets
     2.9 -        might appear.  OWS SHOULD either not be produced or be produced as a
    2.10 -        single SP.  Multiple OWS octets that occur within field-content SHOULD
    2.11 -        either be replaced with a single SP or transformed to all SP octets
    2.12 -        (each octet other than SP replaced with SP) before interpreting the
    2.13 -        field value or forwarding the message downstream.<p>
    2.14 -
    2.15 -<pre>
    2.16 -OWS            = *( SP / HTAB / obs-fold )
    2.17 -               ; "optional" whitespace
    2.18 -obs-fold       = CRLF ( SP / HTAB )
    2.19 -               ; obsolete line folding
    2.20 -</pre>
    2.21 -
    2.22        </section>
    2.23      </section>
    2.24  
    2.25 @@ -256,15 +241,12 @@
    2.26            preferred mechanism for delivering a CSP policy.</p>
    2.27  
    2.28  <pre>
    2.29 -"Content-Security-Policy:" OWS policy OWS
    2.30 +"Content-Security-Policy:" 1#policy
    2.31  </pre>
    2.32  
    2.33 -          <p>A server MUST NOT send more than one HTTP header field named
    2.34 +          <p>A server MAY send more than one HTTP header field named
    2.35            <code>Content-Security-Policy</code> with a given resource
    2.36 -          representation. Sending multiple <code>Content-Security-Policy</code>
    2.37 -          header fields in single HTTP response is unreliable because network
    2.38 -          intermediaries might combine multiple header fields into one,
    2.39 -          corrupting the policy.</p>
    2.40 +          representation.</p>
    2.41  
    2.42            <p>A server MAY send different <code>Content-Security-Policy</code>
    2.43            header field values with different representations of the same
    2.44 @@ -284,7 +266,7 @@
    2.45            enforcing) a policy.</p>
    2.46  
    2.47  <pre>
    2.48 -"Content-Security-Policy-Report-Only:" OWS policy OWS
    2.49 +"Content-Security-Policy-Report-Only:" 1#policy
    2.50  </pre>
    2.51  
    2.52            <p>For example, a server operators might wish to develop their
    2.53 @@ -296,13 +278,9 @@
    2.54            they start enforcing the policy using the
    2.55            <code>Content-Security-Policy</code> header field.</p>
    2.56  
    2.57 -          <p>A server MUST NOT send more than one HTTP header field named
    2.58 +          <p>A server MAY send more than one HTTP header field named
    2.59            <code>Content-Security-Policy-Report-Only</code> with a given
    2.60 -          resource representation. Sending multiple
    2.61 -          <code>Content-Security-Policy-Report-Only</code> header fields
    2.62 -          in single HTTP response is unreliable because network
    2.63 -          intermediaries might combine multiple header fields into one,
    2.64 -          corrupting the policy.<p>
    2.65 +          resource representation.<p>
    2.66  
    2.67            <p>A server MAY send different
    2.68            <code>Content-Security-Policy-Report-Only</code> header field values
    2.69 @@ -318,7 +296,7 @@
    2.70            For example, if a server operator is using one policy but wishes to
    2.71            experiment with a stricter policy, the server operator can monitor
    2.72            the stricter policy while enforcing the original policy. Once the
    2.73 -          server operator is satified that the stricter policy does not break
    2.74 +          server operator is satisfied that the stricter policy does not break
    2.75            the web application, the server operator can start enforcing the
    2.76            stricter policy.</p>
    2.77          </section>