W3C home > Mailing lists > Public > whatwg@whatwg.org > July 2009

[whatwg] Clickjacking and CSRF

From: Aryeh Gregor <Simetrical+w3c@gmail.com>
Date: Wed, 22 Jul 2009 22:47:09 +0000
Message-ID: <7c2a12e20907221547l90f28id86cdf30203d46cb@mail.gmail.com>
On Wed, Jul 22, 2009 at 1:56 PM, Bil Corry<bil at corry.biz> wrote:
> The idea here is 'when in doubt, favor the more restrictive option.' ?There shouldn't be both headers, but if there are, then CSP wins.

Ah, I see, you'd only send one header.  Well, it still seems like it
might be a little more confusing to have essential data split across
multiple places (e.g., policy file vs. header name).

> It's valuable to set them up for as much success as possible.

It's a detail that I don't think is really a big deal in any event, so
I have no strong opinion.  I do think that some report-only mode would
be almost essential for safe deployment in complicated preexisting
apps.
Received on Wednesday, 22 July 2009 15:47:09 UTC

This archive was generated by hypermail 2.4.0 : Wednesday, 22 January 2020 16:59:14 UTC