Handle setting multiple headers of the same name (by using a comma-separate list)

[oreoshake]

Feature Request

Rails does not allow you to set multiple headers with the same name, but CSP allows this. However, multiple headers that are comma separated can be used for the same effect.

This is an issue if you want to use the upcoming hashes for external sources feature AND restrict to a host:

Content-Security-Policy: script-src 'sha256-abc', script-src my.cdn.com

It will treat the script-src values as if they are separate policy, enforcing each individually.

See https://twitter.com/mikewest/status/852252789690556417

[oreoshake]

I guess this is supported by just inserting , script-src when needed. However, the append/override functions might behave unexpectedly.

[chongfai13]

I need help to randomise the part 'sha256-abc'

[oreoshake]

randomise

SHAs are not to be random, they're supposed to be static. Dynamic hashes are not supported by design, at least not by this library.

[chongfai13]

randomise

SHAs are not to be random, they're supposed to be static. Dynamic hashes are not supported by design, at least not by this library.

Meaning the SHA256-xxx the "xxx" value will be always static? this defeat the purpose of having sha256 on the setting tho.

[oreoshake]

Meaning the SHA256-xxx the "xxx" value will be always static? this defeat the purpose of having sha256 on the setting tho.

Are you thinking about the nonce feature? That generates a random number per request, included in the header, and allows you to use e.g.

<%= nonced_javascript_tag do %>
  console.log("nonced!");
<% end %>

<script nonce="<%= content_security_policy_nonce(:script) %>">
  console.log("nonced!");
</script>

The SHA is absolutely supposed to be static. If it's dynamically computed, it has no value.