- From: Brian Smith <brian@briansmith.org>
- Date: Mon, 19 Jan 2015 14:07:22 -0800
- To: Mike West <mkwst@google.com>
- Cc: Daniel Veditz <dveditz@mozilla.com>, "public-webappsec@w3.org" <public-webappsec@w3.org>
Mike West <mkwst@google.com> wrote: > On Thu, Nov 6, 2014 at 11:49 PM, Brian Smith <brian@briansmith.org> wrote: >> Based on your response and others' responses, it is now clear to me >> that CSP sandbox should not cause violation reports. I think that >> makes sense and I hope that is also the case for frame-ancestors too. > > I've explicitly addressed this in > https://github.com/w3c/webappsec/commit/971dd0916a7dcb558d3433278203c6930902c281. > WDYT? Looks good. I think it would be good to also list the things that aren't supported in <meta> in a note in section 3.3, which specifies the <meta> element. This way, the limitations of the <meta> element become clearer. Additionally, I think there should be a suggestion that the user agent should issue a warning when a directive is detected in a <meta> element that isn't supported in the meta element. Also, is it still intended that Content-Security-Policy-Report-Only isn't allowed in <meta>? I thought that this restriction was included back when <meta>- and header-field- specified policies were mutually exclusive, but now that those rules have changed, does it still make sense to prohibit <meta http-equiv=Content-Security-Policy-Report-Only>? Cheers, Brian
Received on Monday, 19 January 2015 22:07:49 UTC