[CSP] specify handling of malformed content-security-policy HTTP header #6
Comments
|
From @metromoxie on October 3, 2015 0:31 There are more nuanced alternatives. For example, if a |
|
From @michaelficarra on October 3, 2015 21:24 @metromoxie Being permissive like that can lead to unintentional vulnerabilities at worst and strange inconsistencies at best, unless the specification is very explicit about the details of error recovery. As-is, the specification does not make much sense, parsing source lists in one way in the The easiest way to safely handle this is to fall back to some restrictive default for malformed policies. Care should be taken, though, to allow for future directives and possibly even extensions to the grammar. |
|
From @metromoxie on October 5, 2015 18:33 @michaelficarra Sure, but we should explore all the options, especially when one of them is how it appears to be currently defined. And if we change it to be more closed, we risk breaking sites that are currently compatible with the spec, which might be a nasty surprise. |
|
It looks like this issue, the lack of defined error handling, has led to different behavior between browsers and a site compat issue for Firefox in https://bugzilla.mozilla.org/show_bug.cgi?id=1629699. Thanks @bakkot for pointing me here in #434 (comment). I see that #363 to fix this has been open for a long time. @mikewest is the desired behavior clear at this point and it's "just" a matter of writing it down, or is there more work to do still? |
From @shekyan on October 2, 2015 23:31
Section 3.1 should be explicit how user-agent should behave in the context of malformed
content-security-policyheader.For example, unknown directive, non-ASCII characters, multiple 'none' keywords in source-expression do not match the 'policy-token' grammar.
We suggest treating these headers as either
default-src 'none'ordefault-src 'self'Copied from original issue: w3c/webappsec#495
The text was updated successfully, but these errors were encountered: