- From: Aryeh Gregor <Simetrical+w3c@gmail.com>
- Date: Wed, 22 Jul 2009 22:47:09 +0000
On Wed, Jul 22, 2009 at 1:56 PM, Bil Corry<bil at corry.biz> wrote: > The idea here is 'when in doubt, favor the more restrictive option.' ?There shouldn't be both headers, but if there are, then CSP wins. Ah, I see, you'd only send one header. Well, it still seems like it might be a little more confusing to have essential data split across multiple places (e.g., policy file vs. header name). > It's valuable to set them up for as much success as possible. It's a detail that I don't think is really a big deal in any event, so I have no strong opinion. I do think that some report-only mode would be almost essential for safe deployment in complicated preexisting apps.
Received on Wednesday, 22 July 2009 15:47:09 UTC