Gervase Markham wrote on 7/8/2009 11:25 AM: > On 07/07/09 19:18, Sid Stamm wrote: >> I personally want to eradicate the META tag >> (http://blog.sidstamm.com/2009/06/csp-with-or-without-meta.html). This >> should be discussed more in depth to decide if we should remove META >> support, if we should support multiple HTTP headers, etc. > > My comment: > > Why not allow multiple headers, and keep the intersection algorithm? > > This way, the hosting company has to provide a special interface for > editing the header rather than the customer just being able to type it > into the page, but it still allows it to make non-negotiable > restrictions. They just serve their restrictions in the first header, > and make sure the customer-provided header comes afterwards.
If the hosting company is providing an interface to add one or more additional CSP headers, then wouldn't it be just as easy for them to provide an interface that constructs a single header? - Bil _______________________________________________ dev-security mailing list dev-security@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security
