On Fri, Jan 23, 2015 at 6:25 PM, Jim Manico <jim.manico@owasp.org> wrote:
> Ok that's fair. Yea, to be honest I can even see CSP headers in a
> manifest for some sites. Configuring all this in one place is compelling.
> So I hope we can do a manifest OR per-page headers, with per-page headers
> taking precedence.
>
The pinning model in the proposal uses the existing combination logic for
multiple headers: resources simply need to pass all the policies applied to
a protected resource. I think overriding the pinned policy completely would
undermine its impact to some extent; I'd prefer to avoid doing that unless
there's a good reason to.
--
Mike West <mkwst@google.com>, @mikewest
Google Germany GmbH, Dienerstrasse 12, 80331 München,
Germany, Registergericht und -nummer: Hamburg, HRB 86891, Sitz der
Gesellschaft: Hamburg, Geschäftsführer: Graham Law, Christine Elizabeth
Flores
(Sorry; I'm legally required to add this exciting detail to emails. Bleh.)