I believe the prohibition for multiple headers was probably to avoid
attacker-injected CSP headers.
On Fri, Apr 3, 2015 at 10:25 AM, Stefan Ossendorf <
stefan.ossendorf@outlook.de> wrote:
> I think he mean "multiple policy header" are only one policy.
>
> My question is: Why is it prohibited with the first statement when it's
> irrelevant?
>
> -----Ursprüngliche Nachricht-----
> Von: Martin Thomson [mailto:martin.thomson@gmail.com]
> Gesendet: Freitag, 3. April 2015 19:02
> An: Mike West
> Cc: Anne van Kesteren; Stefan Ossendorf; public-webappsec@w3.org
> Betreff: Re: [CSP2] Number of CSP Header Fields
>
> On 3 April 2015 at 06:47, Mike West <mkwst@google.com> wrote:
> > Right. This is what I meant. Multiple policies can be concatenated
> > into a single, comma-separated header.
>
> Well, isn't that just a single policy then?
>
>
>