CSP spec not clear

If my page loads a script on api.google.com, it is not clear if the 
user-agent, when parsing the google script, has to comply with the 
X-Content-Security-Policy header from my (HTML) page or with the one 
sent by the Javascript page.

Could you clarify this?



Received on Friday, 12 October 2012 12:14:06 UTC