Comments on CSP Level 2

Based upon <>.

* Some indication of this spec's relationship to CSP1 is necessary, if only to say "It is backwards-compatible and adds the following directives..."  Without that, it's very difficult for readers to judge what's changed, and whether they need to change existing deployed policies.

* Prefixing header field names with "CH-" is cargo cult protocol design; please stop it. See also <>. It's not a "Client Hint", it's a request header field.

* If you want any other values to be possible, you need to define extensibility for CH-CSP. Also, *WSP is not necessary there.

* See <> for a list of other things to think about / document when creating new header fields.

* Having a different spelling for "referrer" as compared to the header seems to invite problems/misunderstanding...


Mark Nottingham

Received on Thursday, 14 August 2014 02:27:40 UTC