- From: Anne van Kesteren <annevk@annevk.nl>
- Date: Tue, 12 Mar 2013 14:08:45 +0000
- To: "Hill, Brad" <bhill@paypal-inc.com>
- Cc: Ian Melven <imelven@mozilla.com>, Tobias Gondrom <tobias.gondrom@gondrom.org>, "public-webappsec@w3.org" <public-webappsec@w3.org>
On Tue, Mar 12, 2013 at 2:03 PM, Hill, Brad <bhill@paypal-inc.com> wrote: > [Hill, Brad] That's covered in > > https://dvcs.w3.org/hg/user-interface-safety/raw-file/0475e30847bf/user-interface-safety.html > > but I would certainly appreciate comments to make the behavior more explicit if you feel such is necessary. I would expect MUST, not SHOULD. I would also expect that to result from following a set of rules. E.g. 1. If the CSP header is present and contains X, do ... 2. Otherwise, if the CSP header does not contain X, run these substeps: 2.1 If there's a X-Frame-Options header, do ... To make it completely unambiguous what is expected from implementations. -- http://annevankesteren.nl/
Received on Tuesday, 12 March 2013 14:09:15 UTC