Lucas Adamski wrote: > My 2c is that if we do this we should do versioning from the get go, > otherwise servers will have a hard time telling CSP v1.0 from CSP > unsupported clients in the future. On one hand this may waste some > bandwidth now, but then again if it saves the server from sending CSP > responses to clients that don't support it,
What do you mean by "CSP responses to clients that don't support it"? What is a "CSP response"? CSP is not supposed to make page authors do anything different, it's supposed to cover their asses when they mess up. Relying on CSP is using it for something it's not designed for. bsterne - I'm not talking crack, right? Gerv _______________________________________________ dev-security mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security
