On Wed, Aug 12, 2015 at 8:16 AM, Julian Reschke <julian.reschke@gmx.de>
wrote:
>
> Then why do you have both comma and semicolon-delimited parameters? That
> sounds very confusing.
Commas come from misconfigured servers that send multiple `Clear-Site-Data`
headers. That is:
```
Clear-Site-Data: a
Clear-Site-Data: b
```
For CSP it's actually critical that we group the policy defined by a single
header together as a unit (as `default-src 'none'; script-src 'self'` is
_very_ different from `default-src 'none', script-src 'self'`). For
`Clear-Site-Data` it isn't (yet?) critical, but following that pattern
seems reasonable.
-mike