- From: Roy T. Fielding <fielding@gbiv.com>
- Date: Tue, 31 Jan 2017 11:16:20 -0800
- To: Mike O'Neill <michael.oneill@baycloud.com>
- Cc: "public-tracking@w3.org (public-tracking@w3.org) (public-tracking@w3.org)" <public-tracking@w3.org>
> On Jan 24, 2017, at 10:18 AM, Mike O'Neill <michael.oneill@baycloud.com> wrote: > > Roy, > > CSP gets delivered via meta http-equiv="csp" > > https://www.w3.org/TR/CSP2/#delivery-html-meta-element > > for same reasons. If the response header is there the meta tag gets ignored. Allowing the option lets a hosted site return a status-id (in a meta tag) then that can point to controller specific TSR, and also lets it claim Tk: C for OOBC if the API isn’t there. As long as the tag gets ignored if the header is already there makes it fine IMO > > Mike CSP sets a security policy for the included content embedding in the HTML. It does not fail to be true when you copy and paste it to another server, even if that move causes embedded requests to fail. Tk describes the service controller's policy regarding tracking during this and future requests. Copy and paste it to another server and the claim will be false. HTML page is content. Tracking policy is not. ....Roy
Received on Tuesday, 31 January 2017 19:16:51 UTC