search

google / csp-evaluator

https://csp-evaluator.withgoogle.com
Apache License 2.0
335 stars 46 forks source link

improve parsing of multi-value CSP headers #25

Open mrl5 opened 3 years ago

mrl5 commented 3 years ago

Intro

This might be controversial because RFC 2616 states "each separated by a comma":

It MUST be possible to combine the multiple header fields into one "field-name: field-value" pair, without changing the semantics of the message, by appending each subsequent field-value to the first, each separated by a comma.

but I figured that it would be good to create such issue anyway so that you are aware and can decide

Steps to reproduce

lets assume that https://example.com responds with this headers:

Content-Security-Policy: frame-ancestors 'none'
Content-Security-Policy: object-src 'none'
Content-Security-Policy: script-src 'self' 'sha256-ungWv48Bz+pBQUDeXa4iI7ADYaOWF3qctBD/YfIAFa0='

put https://example.com into textarea of https://csp-evaluator.withgoogle.com/

Actual result

in textarea of https://csp-evaluator.withgoogle.com/ they will be parsed as:

Content-Security-Policy: frame-ancestors 'none', object-src 'none', script-src 'self' 'sha256-ungWv48Bz+pBQUDeXa4iI7ADYaOWF3qctBD/YfIAFa0='

(notice , instead of ;). Because of commas object-src + script-src will be marked as missing

Expected result

headers from steps to reproduce are parsed as

Content-Security-Policy: frame-ancestors 'none'; object-src 'none'; script-src 'self' 'sha256-ungWv48Bz+pBQUDeXa4iI7ADYaOWF3qctBD/YfIAFa0='

Additional info

google chrome 87 interprets headers from Steps to reproduce in a way that object-src and script-src are respected

Proposed solution

Multi value headers should be joined by using ; instead of ,