Gervase Markham wrote on 12/3/2008 4:56 PM: > bsterne wrote: >> I think what Lucas is saying is that servers won't send policy to >> clients who don't announce that they support CSP. > > To save 60 bytes in a header?
No, so that in the event CSPv2 is incompatible with CSPv1, it won't require two response headers to be sent to every client. Instead, since the browser tells the server which version of CSP it's accepting, the server can send back the CSP header in the most recent format that both the client and server understand (e.g. server knows CSPv2, client knows CSPv3, server sends CSPv2 header). - Bil _______________________________________________ dev-security mailing list dev-security@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security