- From: Adam Barth <w3c@adambarth.com>
- Date: Fri, 4 May 2012 10:37:16 -0700
- To: public-webappsec@w3.org
- Cc: Daniel Veditz <dveditz@mozilla.com>
At the face-to-face meeting, we discussed what to do when the user agent receives multiple Content-Security-Policy headers. At the meeting, we discussed enforcing default-src 'none' as the policy in that case in order to fail in an obnoxious way that the developer is likely to notice. During the test jam, and I noticed that all the tests used the following pattern: Content-Security-Policy: <insert policy here> X-Content-Security-Policy: <insert policy here> X-WebKit-CSP: <insert policy here> Do we really want to enforce default-src 'none' in this case too? That doesn't seem like the right thing to do. Perhaps we ought to just enforce all the policies after all. Adam
Received on Friday, 4 May 2012 17:38:19 UTC