Sorry if this was already brought up in this thread (or if its a closed subject), but using headers vs. a policy file is a bad idea, for the following reasons:
* Allows caching * Allows usage of the policy on a site where there's no scripting available (static content servers?) * Allows a policy to enforced on a domain-level, instead of for every html page * Removes the HEAD before POST requirement The last one is an important one for a different reason as well. PHP, as an example, will execute scripts the same way regardless if its HEAD, POST or GET, so this could produce unwanted results on existing sites, not to mention a bandwidth and time overhead. _______________________________________________ dev-security mailing list dev-security@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security
