- From: Daniel Veditz <dveditz@mozilla.com>
- Date: Wed, 11 Jun 2014 09:00:45 -0700
- To: Mike West <mkwst@google.com>
- CC: Kevin Hill <khill@microsoft.com>, "public-webappsec@w3.org" <public-webappsec@w3.org>
On 6/11/2014 12:20 AM, Mike West wrote: > Thanks Dan. I agree with your analysis, and I appreciate you withdrawing > your objection. > > I've made this change in > https://github.com/w3c/webappsec/commit/f697c40eea84b6c57480c0e3783993a47ebdc3d5 > > WDYT? To be clear, your change does two things and we were mainly talking about the first: * allows use of both HTTP and <meta> CSP * allows use of multiple <meta> CSP The arguments against (and in favor of) multiple <meta> CSP are pretty much the same as the arguments for and against allowing a combination of header and <meta> policies. "It's useful, and why not since it can only tighten policies" vs. "Injection bug in site might be used to circumvent a feature whose main purpose assumes you need protection from injection bugs". I'm not objecting to the change, just announcing my intention to sit in the corner and fret about the possibility. -Dan Veditz
Received on Wednesday, 11 June 2014 16:01:13 UTC