- From: Julian Reschke <julian.reschke@gmx.de>
- Date: Wed, 12 Aug 2015 08:26:30 +0200
- To: Mike West <mkwst@google.com>
- Cc: Martin Thomson <martin.thomson@gmail.com>, "public-webappsec@w3.org" <public-webappsec@w3.org>
On 2015-08-12 08:20, Mike West wrote: > On Wed, Aug 12, 2015 at 8:16 AM, Julian Reschke <julian.reschke@gmx.de > <mailto:julian.reschke@gmx.de>> wrote: > > Then why do you have both comma and semicolon-delimited parameters? > That sounds very confusing. > > > Commas come from misconfigured servers that send multiple > `Clear-Site-Data` headers. That is: > > ``` > Clear-Site-Data: a > Clear-Site-Data: b > ``` > > For CSP it's actually critical that we group the policy defined by a > single header together as a unit (as `default-src 'none'; script-src > 'self'` is _very_ different from `default-src 'none', script-src > 'self'`). For `Clear-Site-Data` it isn't (yet?) critical, but following > that pattern seems reasonable. Supporting multiple header fields and commas is get. But why then have ";" as well?
Received on Wednesday, 12 August 2015 06:28:15 UTC