- From: Taras Ivashchenko <oxdef@yandex-team.ru>
- Date: Thu, 09 Mar 2017 12:01:12 +0300
- To: WebAppSec WG <public-webappsec@w3.org>
Received on Thursday, 9 March 2017 09:01:49 UTC
Hello! It is awkward to maintain backward compatible CSP policy, e.g. keep in it unsafe-inline with nonce for CSPv1 or frame- src/child-src. It looks like in the future versions of CSP such problem will be more obvious. In some cases in web application it is easer to have support of only the last one standard. What do you think about adding ability to specify the version of used CSP? It can be done in header name like: Content-Security-Policy-v3: ... If browser meets more the one CSP header it should use header with the latest support version. I had also reported the issue on GitHub but there is no activity in it during 8 days https://github.com/w3c/webappsec-csp/issues/189 -- Taras Ivashchenko Information Security Officer, Yandex
Received on Thursday, 9 March 2017 09:01:49 UTC