- From: Boris Zbarsky <bzbarsky@MIT.EDU>
- Date: Thu, 20 Jan 2011 10:24:33 -0500
- To: public-web-security@w3.org
> 1) Instead of using HTTP headers, the policy is expressed in HTML. This leaves the door open for various content-injection attacks that inject content before the policy <meta>. Is the benefit of expressing the policy in the same file worth it? -Boris
Received on Thursday, 20 January 2011 15:25:37 UTC