W3C home > Mailing lists > Public > public-web-security@w3.org > October 2012

CSP spec not clear

From: Marc Stern <marc.stern@approach.be>
Date: Fri, 12 Oct 2012 14:13:30 +0200
Message-ID: <5078096A.9020803@approach.be>
To: public-web-security@w3.org
If my page loads a script on api.google.com, it is not clear if the 
user-agent, when parsing the google script, has to comply with the 
X-Content-Security-Policy header from my (HTML) page or with the one 
sent by the Javascript page.

Could you clarify this?


Received on Friday, 12 October 2012 12:14:06 UTC

This archive was generated by hypermail 2.3.1 : Tuesday, 6 January 2015 20:26:20 UTC