Re: Multiple Content-Security-Policy headers

On 5/4/12 10:37 AM, Adam Barth wrote:
> During the test jam, and I noticed that all the tests used the
> following pattern:
> 
> Content-Security-Policy: <insert policy here>
> X-Content-Security-Policy: <insert policy here>
> X-WebKit-CSP: <insert policy here>
> 
> Do we really want to enforce default-src 'none' in this case too?
> That doesn't seem like the right thing to do.  Perhaps we ought to
> just enforce all the policies after all.

How do you enforce "all" the policies if they are different? Unless
you're reintroducing policy intersecting you still have to pick
whether you're going to follow one or the other.

-Dan Veditz

Received on Monday, 7 May 2012 18:09:01 UTC