- From: Devdatta Akhawe <dev.akhawe@gmail.com>
- Date: Tue, 19 Jul 2011 23:19:43 -0700
- To: Mark Nottingham <mnot@mnot.net>
- Cc: Adam Barth <w3c@adambarth.com>, public-web-security@w3.org
>
> something like (using ABNF):
>
> source = [ modifier ] "self" / scheme ":" host [ ":" port ]
> modifier = "^" // do not report
> / "?" // warn only
>
Again, I don't understand.
How would this work for your case? Note that the geo fetch is
violating BOTH of your origin declarations ('self'/mnot.net and
*.static.flickr.com).
Seems that the way to make an exception would be to add a new "Don't
report violations caused by access to the following origins:" keyword.
That seems pretty ugly to me.
-devdatta
> etc.
>
>
>>> - I tried adding a X-WebKit-CSP header with the same policy on the front page, but Chrome behaved differently; e.g., it didn't want to load a local .js, even though that's allowed by the policy.
>>
>> If you send me a reduced test case of the issue you're running into,
>> I'd be happy to fix it.
>
> Will see what I can do.
>
> --
> Mark Nottingham http://www.mnot.net/
>
>
>
>
>
Received on Wednesday, 20 July 2011 06:20:32 UTC