On Thu, Jul 28, 2016 at 12:43 AM, Brad Hill <hillbrad@gmail.com> wrote: > 1) If I'm reading this correctly, you could never have a more relaxed CSP > for a specific resource than the baseline value in an Origin Policy due to > the way header combination works for CSP. It seems like some sort of escape > hatch is necessary to disable Origin-Policy processing for a given response? > (or you have to be absolutely 100% certain about the baseline policy > contents and probably still send large delta policies with almost every > request) The opt-out is pointing to a different policy (or not pointing to one at all). That will lead to the browser disregarding the existing policy of course and notably doesn't work for CORS-preflights (too late at that point), but it's a pretty good defense-in-depth that crossdomain.xml didn't offer. -- https://annevankesteren.nl/Received on Thursday, 28 July 2016 07:41:20 UTC
This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 14:54:20 UTC