CSP headers are incorrect with multiple rules

[letanloc1998]

Hi everyone,

When we config CSP header like:

Content-Security-Policy: a
Content-Security-Policy: b
Content-Security-Policy: c

Each header is independent. (It means we must write rule for both script-src-elem and connect-src,...)

How to split Content-Security-Policy to multiple headers? Because it's very long.

Many thanks

[mikewest]

I don't think I understand the question.

Content-Security-Policy: a
Content-Security-Policy: b
Content-Security-Policy: c

would imply that a and b and c are all enforced. You don't need to specify each directive in a distinct header, though:

Content-Security-Policy: a; b; c

would also enforce a, b, and c. The two models differ in some edge cases that are important (e.g. enforcing hashes or nonces and an allowlist of domains), but they're often interchangable.

Is that somewhere near what you're asking?

[annevk]

Per combining semantics shouldn't it be identical to

Content-Security-Policy: a, b, c

?

[mikewest]

Yes. But Content-Security-Policy: a, b, c is not identical to Content-Security-Policy: a; b; c. The former creates three policies, all of which are enforced. The latter creates one policy with three directives, all of which are enforced. These are distinct. For example, a simplified version of the headers sent from myaccount.google.com is:

content-security-policy: script-src ... 'nonce-75mShyMY4JEfhPfGuk2DeA';object-src 'none'; ...
content-security-policy: script-src https://apis.google.com [more domains go here]; ...

That enforces a nonce constraint and also enforces an allowlist of domains. That's not possible to do in a single policy.