Validator fails to merge policies with report-uri

[oschwald]

The validator fails to handle this policy taken directly from the CSP 2 specification:

Content-Security-Policy: frame-ancestors https://example.com/ 
Content-Security-Policy: default-src https:; report-uri https://example.com/

It says "Cannot merge policies if either policy contains a report-uri directive."

See mozilla/http-observatory#396 also.

Thoughts?

[bakkot]

There's no way to create a single CSP policy which does what those two do in combination, because there's no way to make a single policy which will use a report-uri for only a subset of its directives. So it can't merge those two policies.

Are you entering those headers manually, or is there a website that has both which you're trying to run through the "Validate CSP in headers and meta elements" box? If the latter, I'd consider that a bug in cspvalidator.org, I think.

[oschwald]

This happens both when I enter a site with multiple headers (www.maxmind.com) and when I enter the values manually.

I am not sure what the goal of the manual entry is, but the two header values could be merged into one by separating them with a comma. From the v2 spec:

Note also that combining them via ',' into the single header

Content-Security-Policy: frame-ancestors https://example.com/, default-src https:; report-uri https://example.com/

would have the same effect, as the comma splits the header during parsing.

[oschwald]

Related, I believe the merging is incorrect when you enter something like script-src example.com on one line and script-src 'nonce-value on another line. This is not the same as an empty script-src. This is equivalent to requiring the script-src be from example.com AND have a nonce of "value".

[bakkot]

The main purpose of the manual entry (of merging, really) is to allow updating policies: for example, say you have an existing policy and you want to ensure scripts hosted on foo.com are allowed. Then you'd union your existing policy with script-src https://foo.com, and it would give you a policy ensuring that was allowed.

Anyway, yes, Salvation should probably be updated to support comma-separated lists of policies, and to support merging two policies with distinct report-uris by making joining them with commas.

Related, I believe the merging is incorrect when you enter something like script-src example.com on one line and script-src 'nonce-value on another line. This is not the same as an empty script-src. This is equivalent to requiring the script-src be from example.com AND have a nonce of "value".

Unfortunately there's no way to represent that as a single policy either, though the fact that it produces an incorrect policy instead of an error is a bug.

[shekyan]

Related, I believe the merging is incorrect when you enter something like script-src example.com on one line and script-src 'nonce-value on another line. This is not the same as an empty script-src. This is equivalent to requiring the script-src be from example.com AND have a nonce of "value".

There is a down arrow next to the Go! button, which allows to select merging strategy.
Default strategy is intersect, and to produce result that you want, a union strategy should be selected.

For intersection strategy, empty source-list is the only source-list value that satisfies both policies. It is equivalent of browser enforcing
Content-Security-Policy: script-src example.com and
Content-Security-Policy: script-src 'nonce-value'. Or Content-Security-Policy: script-src example.com, script-src 'nonce-value', which is the same.

Update: you are right, that's a wrong output.