2

I am performing a security assessment on a web application and I found it doesn't have the Content-Security-Policy, but instead it has Content-Secure-Policy. It is literally the first time I'm seeing such a case and I would like to know: Are these two headers equivalent?

Will browsers be able to recognize this Content-Secure-Policy?

schroeder
  • 123,438
  • 55
  • 284
  • 319
felipe guerraruiz
  • 21
  • 1
  • I've looked through header documentation and googled around. It appears to be not an uncommon header *in use* but I cannot confirm what a browser will do with it. – schroeder Oct 21 '20 at 19:47
  • 1
    I would suggest that this is a typo. It was probably not tested, if the attempted security policy actually works as expected. – Steffen Ullrich Oct 21 '20 at 20:02

1 Answers1

0

They are not equivalent.

The W3C Draft for CSP only defines the headers Content-Security-Policy and Content-Security-Policy-Report-Only. No other headers are defined by the document.

That means browsers can choose to include this specific typo, but it is unlikely that browser vendors will attempt to predict all possible ways to misspell Content-Security-Policy in order to improve compatibility.

How to proceed now?

Mark it as a finding, stating that their CSP header is malformed and will likely be ignored by browsers. Fixing it should not be difficult anyways. If the developers state that some arbitrary browser they tested this on still works with it, you can still mention that it's not covered in any draft and is implementation-specific behavior - and thus a risk.