Re: CSP 1.0: Are UAs permitted to implement reporting as opt-in?

The server can't rely on CSP being present at all.  By your reasoning,
we should remove all the requirements from the spec.

This thread is well past its usefulness.  You don't seem to have a
technical point and are just wasting the working group's time.

Adam


On Wed, Oct 17, 2012 at 2:44 PM, Fred Andrews <fredandw@live.com> wrote:
> Hi Boris,
>
> If the server can't rely on this then why does CSP require the UA to
> send a report when requested?
>
> cheers
> Fred
>
>> Date: Wed, 17 Oct 2012 12:23:10 -0400
>> From: bzbarsky@MIT.EDU
>> To: public-webappsec@w3.org
>
>> Subject: Re: CSP 1.0: Are UAs permitted to implement reporting as opt-in?
>>
>> On 10/17/12 6:49 AM, Fred Andrews wrote:
>> > Just to clarify, when reporting is required the server can depend on the
>> > absence of a report when it trips its own policy to signal that the UA
>> > has not
>> > implemented the policy.
>>
>> Dan's point was that no, the server can't rely on this.
>>
>> -Boris
>>

Received on Wednesday, 17 October 2012 22:06:27 UTC