- From: Daniel Veditz <dveditz@mozilla.com>
- Date: Mon, 07 May 2012 11:08:16 -0700
- To: Adam Barth <w3c@adambarth.com>
- CC: public-webappsec@w3.org
On 5/4/12 10:37 AM, Adam Barth wrote: > During the test jam, and I noticed that all the tests used the > following pattern: > > Content-Security-Policy: <insert policy here> > X-Content-Security-Policy: <insert policy here> > X-WebKit-CSP: <insert policy here> > > Do we really want to enforce default-src 'none' in this case too? > That doesn't seem like the right thing to do. Perhaps we ought to > just enforce all the policies after all. How do you enforce "all" the policies if they are different? Unless you're reintroducing policy intersecting you still have to pick whether you're going to follow one or the other. -Dan Veditz
Received on Monday, 7 May 2012 18:09:01 UTC