How to support enforcing-multiple-policies in CSP?

[weizman]

Great input by @kzar - https://github.com/WICG/Realms-Initialization-Control/issues/4#issuecomment-2184944203

Something I wasn't aware of, is how according to the spec of CSP2, multiple CSP headers must be supported.

I thought the first to be parsed by the browser is the one to win and the rest gets ignored, but according to the spec, both are taken into account and the output is the most strict fusion of the two (see enforcing-multiple-policies@spec).

This is something the RIC proposal must take into account.

Intuitively, since the RIC CSP directive is going to support a list of remote JS files to fetch and run, I'd say that the fusion of multiple headers should naturally be that list, where former scripts in the directive are the ones parsed before the others.

So:

Content-Security-Policy: realm-init /x.js
Content-Security-Policy: realm-init /y.js

Will fuse into:

Content-Security-Policy: realm-init /x.js /y.js

Would highly appreciate feedback on this.

[kzar]

I'm not the best person to comment, but FWIW something like your suggestion sounds good to me. I think both scripts should run in that scenario, because the website might break if its init script isn't run (e.g if a browser extension added its own init script, similar to how some websites break if you block an analytics script for example). Ordering the scripts by header order like you say sounds good to me as well.