- From: Bil Corry <bil@corry.biz>
- Date: Wed, 22 Jul 2009 17:51:33 -0500
Aryeh Gregor wrote on 7/22/2009 5:47 PM: > On Wed, Jul 22, 2009 at 1:56 PM, Bil Corry<bil at corry.biz> wrote: >> The idea here is 'when in doubt, favor the more restrictive option.' There shouldn't be both headers, but if there are, then CSP wins. > > Ah, I see, you'd only send one header. Well, it still seems like it > might be a little more confusing to have essential data split across > multiple places (e.g., policy file vs. header name). To clarify, I was thinking this would run CSP in report-only mode: X-Content-Security-Policy-ReportOnly: allow self Then when you're satisfied with the ruleset, you merely rename the header to actually kick it on: X-Content-Security-Policy: allow self - Bil
Received on Wednesday, 22 July 2009 15:51:33 UTC