Re: CSP spec not clear from Adam Barth on 2012-10-12 (public-web-security@w3.org from October 2012)

From: Adam Barth <w3c@adambarth.com>
Date: Fri, 12 Oct 2012 06:23:16 -0700
To: marc.stern@approach.be
Cc: public-web-security@w3.org
Message-ID: <CAJE5ia80Ok6-q69jfO2Znb+EALU=cdk1=L0LtOXx4Yv-krHiLQ@mail.gmail.com>

Thanks for the feedback.  It's the policy from the HTML page that
matters.  I'll clarify the spec.

Adam


On Fri, Oct 12, 2012 at 5:13 AM, Marc Stern <marc.stern@approach.be> wrote:
> If my page loads a script on api.google.com, it is not clear if the
> user-agent, when parsing the google script, has to comply with the
> X-Content-Security-Policy header from my (HTML) page or with the one sent by
> the Javascript page.
>
> Could you clarify this?
>
> Thanks
>
> Marc
>

Received on Friday, 12 October 2012 13:24:15 UTC