Re: [Proposal]: Set origin-wide policies via a manifest.

On Thu, Jul 28, 2016 at 12:43 AM, Brad Hill <> wrote:
> 1) If I'm reading this correctly, you could never have a more relaxed CSP
> for a specific resource than the baseline value in an Origin Policy due to
> the way header combination works for CSP.  It seems like some sort of escape
> hatch is necessary to disable Origin-Policy processing for a given response?
> (or you have to be absolutely 100% certain about the baseline policy
> contents and probably still send large delta policies with almost every
> request)

The opt-out is pointing to a different policy (or not pointing to one
at all). That will lead to the browser disregarding the existing
policy of course and notably doesn't work for CORS-preflights (too
late at that point), but it's a pretty good defense-in-depth that
crossdomain.xml didn't offer.


Received on Thursday, 28 July 2016 07:41:20 UTC