On Wed, Jun 11, 2014 at 12:41 PM, Sigbjørn Vik <sigbjorn@opera.com> wrote: > Looks good, then I have no further objections. Thanks for the > constructive work, and putting up with my paranoia :) > Thanks for being constructively paranoid. > Optionally, include the cross domain check. > I think the cross-domain check is already in: see "along with requests for resources whose origin does not match the protected resource’s origin" in https://w3c.github.io/webappsec/specs/content-security-policy/#ch-csp-client-hint . Did I miss it somewhere else? > I think the following code has one too many nots in it: > "source list <em>does not</em> contain the <code>'unsafe-redirect'</code>" Ah. Yes. I got a bit carried away there. :) https://github.com/w3c/webappsec/commit/aa120cf40e95c0da63ca7d30bdbabd12fb826d02 -- Mike West <mkwst@google.com> Google+: https://mkw.st/+, Twitter: @mikewest, Cell: +49 162 10 255 91 Google Germany GmbH, Dienerstrasse 12, 80331 München, Germany Registergericht und -nummer: Hamburg, HRB 86891 Sitz der Gesellschaft: Hamburg Geschäftsführer: Graham Law, Christine Elizabeth Flores (Sorry; I'm legally required to add this exciting detail to emails. Bleh.)
Received on Wednesday, 11 June 2014 10:49:49 UTC