Re: Header Policy Vs. Meta tag policy

On 6/11/2014 12:20 AM, Mike West wrote:
> Thanks Dan. I agree with your analysis, and I appreciate you withdrawing
> your objection.
> I've made this change in

To be clear, your change does two things and we were mainly talking 
about the first:
  * allows use of both HTTP and <meta> CSP
  * allows use of multiple <meta> CSP

The arguments against (and in favor of) multiple <meta> CSP are pretty 
much the same as the arguments for and against allowing a combination of 
header and <meta> policies. "It's useful, and why not since it can only 
tighten policies" vs. "Injection bug in site might be used to circumvent 
a feature whose main purpose assumes you need protection from injection 
bugs". I'm not objecting to the change, just announcing my intention to 
sit in the corner and fret about the possibility.

-Dan Veditz

Received on Wednesday, 11 June 2014 16:01:13 UTC