On Apr 4, 10:39 am, Florian Weimer <[email protected]> wrote: > The policy does not say explicitly what happens to javascript: > hyperlinks and the on* event handlers.
http://people.mozilla.org/~bsterne/content-security-policy/details.html#no-inline-script > You shouldn't use an X- header because it's going to stick around and > preventing standardization (see X-Complaints-To on Usenet). I think an X-header makes sense for CSP at this point, since it is not yet standardized. A standards group like W3C's public-webapps is probably the right venue for that conversation to take place. _______________________________________________ dev-security mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security
