You're entirely correct, Brian. Thanks. I'll add something. -mike -- Mike West <mkwst@google.com>, @mikewest Google Germany GmbH, Dienerstrasse 12, 80331 München, Germany, Registergericht und -nummer: Hamburg, HRB 86891, Sitz der Gesellschaft: Hamburg, Geschäftsführer: Graham Law, Christine Elizabeth Flores (Sorry; I'm legally required to add this exciting detail to emails. Bleh.) On Tue, Aug 11, 2015 at 5:44 PM, Brian Smith <brian@briansmith.org> wrote: > On Tue, Aug 11, 2015 at 3:29 AM, Mike West <mkwst@google.com> wrote: > >> 2. It drops the `CSP` header entirely. Chrome implemented it, and rolled >> it back due to unexpected interactions with CORS. No other browser >> implemented it (as far as I'm aware?). This feature was marked as "at >> risk", and as it's going to require more thought ( >> https://github.com/whatwg/fetch/issues/52), I'd like to bump it to CSP3. >> >> > The spec should at least mention the privacy problem that the CSP request > header was supposed to help websites mitigate in its security/privacy > considerations section. > > Cheers, > Brian > >
Received on Tuesday, 11 August 2015 15:52:47 UTC