Add ability to specify the version of used CSP

Hello!

It is awkward to maintain backward compatible CSP policy, e.g. keep in it unsafe-inline with nonce for CSPv1 or frame-
src/child-src. It looks like in the future versions of CSP such problem will be more obvious. 
In some cases in web application it is easer to have support of only the last one standard. 
What do you think about adding ability to specify the version of used CSP? 
It can be done in header name like:

Content-Security-Policy-v3: ...

If browser meets more the one CSP header it should use header with the latest support version.

I had also reported the issue on GitHub but there is no activity in it during 8 days
https://github.com/w3c/webappsec-csp/issues/189

-- 
Taras Ivashchenko
Information Security Officer,
Yandex

Received on Thursday, 9 March 2017 09:01:49 UTC