Description
The html spec says that the content
of an <meta http-equiv="Content-Security-Policy" content="...">
tag should be a serialized-policy
and should be parsed according to Parse a serialized CSP.
This implies that it does not allow multiple comma-separated policies, such as img-src 'none', script-src 'sha256-lLvWePLrgCn07EcwYB0JPy65n3OloEYiWK34Ql9Zdmc='
. That would be a serialized-csp-list
, parsed according to Parse a serialized CSP list, which nothing I can find actually uses. (Also, that algorithm returns multiple policies, each of which would need to be enforced.)
However, both Chrome and Safari do allow policy lists such as the above. Firefox and the Nu HTML checker do not - Firefox attempts to parse it as a single policy including the ,
, while the Nu HTML checker considers it an outright error.
As far as I can tell, the web platform tests do not cover this case.
Here is a simple page with the above comma-separated CSP, which contains both an image and an inline script with no hash. Its source is below.
Which is the intended behavior?
demo page source
<!DOCTYPE html>
<head>
<meta charset="utf-8">
<meta http-equiv="Content-Security-Policy" content="img-src 'none', script-src 'sha256-lLvWePLrgCn07EcwYB0JPy65n3OloEYiWK34Ql9Zdmc='">
<title>CSP test</title>
</head>
<body>
<span id="title">If you can see this, the CSP violation event listener was prevented from executing.</span>
<script nonce="example">
document.getElementById('title').innerText = 'CSP directives violated:';
let directives = new Set;
document.addEventListener('securitypolicyviolation', function(e) {
directives.add(e.violatedDirective);
document.getElementById('violations').innerHTML = [...directives].map(v => '<li>' + v).join('');
});
</script>
<ul id="violations"></ul>
<img src="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAUAAAAFCAYAAACNbyblAAAAHElEQVQI12P4//8/w38GIAXDIBKE0DHxgljNBAAO9TXL0Y4OHwAAAABJRU5ErkJggg==" alt="a red dot">
<script>console.log('a console log from an inline script')</script>