Skip to content

Does the meta http-equiv="Content-Security-Policy" tag allow lists of policies? #5102

Open
@bakkot

Description

@bakkot

The html spec says that the content of an <meta http-equiv="Content-Security-Policy" content="..."> tag should be a serialized-policy and should be parsed according to Parse a serialized CSP.

This implies that it does not allow multiple comma-separated policies, such as img-src 'none', script-src 'sha256-lLvWePLrgCn07EcwYB0JPy65n3OloEYiWK34Ql9Zdmc='. That would be a serialized-csp-list, parsed according to Parse a serialized CSP list, which nothing I can find actually uses. (Also, that algorithm returns multiple policies, each of which would need to be enforced.)

However, both Chrome and Safari do allow policy lists such as the above. Firefox and the Nu HTML checker do not - Firefox attempts to parse it as a single policy including the ,, while the Nu HTML checker considers it an outright error.

As far as I can tell, the web platform tests do not cover this case.

Here is a simple page with the above comma-separated CSP, which contains both an image and an inline script with no hash. Its source is below.

Which is the intended behavior?

demo page source
<!DOCTYPE html>
<head>
  <meta charset="utf-8">
  <meta http-equiv="Content-Security-Policy" content="img-src 'none', script-src 'sha256-lLvWePLrgCn07EcwYB0JPy65n3OloEYiWK34Ql9Zdmc='">
<title>CSP test</title>
</head>
<body>
  <span id="title">If you can see this, the CSP violation event listener was prevented from executing.</span>
  <script nonce="example">
    document.getElementById('title').innerText = 'CSP directives violated:';
    let directives = new Set;
    document.addEventListener('securitypolicyviolation', function(e) {
      directives.add(e.violatedDirective);
      document.getElementById('violations').innerHTML = [...directives].map(v => '<li>' + v).join('');
    });
  </script>
  <ul id="violations"></ul>

  <img src="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAUAAAAFCAYAAACNbyblAAAAHElEQVQI12P4//8/w38GIAXDIBKE0DHxgljNBAAO9TXL0Y4OHwAAAABJRU5ErkJggg==" alt="a red dot">
  <script>console.log('a console log from an inline script')</script>

Metadata

Metadata

Assignees

No one assigned

    Labels

    impacts documentationUsed by documentation communities, such as MDN, to track changes that impact documentationinteropImplementations are not interoperable with each otherneeds testsMoving the issue forward requires someone to write testssecurity/privacyThere are security or privacy implications

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions