canmove, Confirmed users
1,537
edits
Security/CSP/Spec: Difference between revisions
m
→Policy Refinements with a Multiply-Specified Header
(→User-Agent and Other Client-Side Considerations: added info about a report-only mode) |
|||
| Line 134: | Line 134: | ||
==Policy Refinements with a Multiply-Specified Header== | ==Policy Refinements with a Multiply-Specified Header== | ||
When multiple instances of the <tt>X-Content- | When multiple instances of the <tt>X-Content-Security-Policy</tt> HTTP header are present in an HTTP response, the intersection of the policies is enforced; essentially, the browser enforces a policy that is more strict than both the policies specified in the multiple headers, but only strict enough to correspond to rules in all policies. Any web request that satisfied ''all'' policies alone will be accepted by the new policy, but any request rejected by ''any of'' of the two policies will be rejected. The intersection is calculated on a directive-by-directive basis (i.e., the intersection of the <tt>allow</tt> directive is taken and enforced as the <tt>allow</tt> part of the effective policy). Explicitly, for two policies: | ||
<blockquote> | <blockquote> | ||