W3C home > Mailing lists > Public > whatwg@whatwg.org > July 2009

[whatwg] Clickjacking and CSRF

From: Bil Corry <bil@corry.biz>
Date: Wed, 22 Jul 2009 17:51:33 -0500
Message-ID: <4A6797F5.1040809@corry.biz>
Aryeh Gregor wrote on 7/22/2009 5:47 PM: 
> On Wed, Jul 22, 2009 at 1:56 PM, Bil Corry<bil at corry.biz> wrote:
>> The idea here is 'when in doubt, favor the more restrictive option.'  There shouldn't be both headers, but if there are, then CSP wins.
> Ah, I see, you'd only send one header.  Well, it still seems like it
> might be a little more confusing to have essential data split across
> multiple places (e.g., policy file vs. header name).

To clarify, I was thinking this would run CSP in report-only mode:

	X-Content-Security-Policy-ReportOnly: allow self

Then when you're satisfied with the ruleset, you merely rename the header to actually kick it on:

	X-Content-Security-Policy: allow self

- Bil
Received on Wednesday, 22 July 2009 15:51:33 UTC

This archive was generated by hypermail 2.4.0 : Wednesday, 22 January 2020 16:59:14 UTC