On 04/05/2012 19:37, Adam Barth wrote: > what to do when the user > agent receives multiple Content-Security-Policy headers. At the > meeting, we discussed enforcing default-src 'none' as the policy in > that case in order to fail in an obnoxious way that the developer is > likely to notice. > > During the test jam, and I noticed that all the tests used the > following pattern: > > Content-Security-Policy: <insert policy here> > X-Content-Security-Policy: <insert policy here> > X-WebKit-CSP: <insert policy here> > > Do we really want to enforce default-src 'none' in this case too? > That doesn't seem like the right thing to do. Perhaps we ought to > just enforce all the policies after all. Or enforce the first one we can recognize, but if we find more than one of the same "variant" (e.g. two X-WebKit-CSP) *then* fail hard? Wouldn't this allow graceful degradation patterns with prefixed headers, but still help authors to cleanup bogus configurations? -- GReceived on Friday, 4 May 2012 18:15:40 GMT
This archive was generated by hypermail 2.2.0+W3C-0.50 : Friday, 4 May 2012 18:15:40 GMT