On Mon, Aug 17, 2015 at 6:28 AM, Dominique Hazael-Massieux <dom@w3.org> wrote: > On 17/08/2015 15:21, Eric Rescorla wrote: > >> Well, I don't see a problem with a change in behavior that only takes >> effect when >> a CSP directive is set... >> > > Do you see a problem with making that behavior (i.e. disabling > RTCPeerConnection on third party embedded context) the default even if no > CSP directive is set (and only use CSP to make it more lax)? > That seems to violate the general philosophy of CSP (at least when I was involved) that CSP was a belt-and-suspenders mechanism. In addition, I think we would need to ask what currently valid code it would break. -EkrReceived on Monday, 17 August 2015 13:35:10 UTC
This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 19:18:08 UTC