Re: CfC to publish a LCWD of CSP 1.1

On Wed, Jun 11, 2014 at 12:41 PM, Sigbjørn Vik <sigbjorn@opera.com> wrote:

> Looks good, then I have no further objections. Thanks for the
>  constructive work, and putting up with my paranoia :)
>

Thanks for being constructively paranoid.


> Optionally, include the cross domain check.
>

I think the cross-domain check is already in: see "along with requests for
resources whose origin does not match the protected resource’s origin" in
https://w3c.github.io/webappsec/specs/content-security-policy/#ch-csp-client-hint
.

Did I miss it somewhere else?


>  I think the following code has one too many nots in it:
> "source list <em>does not</em> contain the  <code>'unsafe-redirect'</code>"


Ah. Yes. I got a bit carried away there. :)

https://github.com/w3c/webappsec/commit/aa120cf40e95c0da63ca7d30bdbabd12fb826d02

--
Mike West <mkwst@google.com>
Google+: https://mkw.st/+, Twitter: @mikewest, Cell: +49 162 10 255 91

Google Germany GmbH, Dienerstrasse 12, 80331 München, Germany
Registergericht und -nummer: Hamburg, HRB 86891
Sitz der Gesellschaft: Hamburg
Geschäftsführer: Graham Law, Christine Elizabeth Flores
(Sorry; I'm legally required to add this exciting detail to emails. Bleh.)

Received on Wednesday, 11 June 2014 10:49:49 UTC