W3C home > Mailing lists > Public > public-web-security@w3.org > October 2012

Re: CSP spec not clear

From: Adam Barth <w3c@adambarth.com>
Date: Fri, 12 Oct 2012 06:23:16 -0700
Message-ID: <CAJE5ia80Ok6-q69jfO2Znb+EALU=cdk1=L0LtOXx4Yv-krHiLQ@mail.gmail.com>
To: marc.stern@approach.be
Cc: public-web-security@w3.org
Thanks for the feedback.  It's the policy from the HTML page that
matters.  I'll clarify the spec.

Adam


On Fri, Oct 12, 2012 at 5:13 AM, Marc Stern <marc.stern@approach.be> wrote:
> If my page loads a script on api.google.com, it is not clear if the
> user-agent, when parsing the google script, has to comply with the
> X-Content-Security-Policy header from my (HTML) page or with the one sent by
> the Javascript page.
>
> Could you clarify this?
>
> Thanks
>
> Marc
>
Received on Friday, 12 October 2012 13:24:15 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Friday, 12 October 2012 13:24:16 GMT