Bil Corry wrote: > No, so that in the event CSPv2 is incompatible with CSPv1, it won't > require two response headers to be sent to every client. Instead, > since the browser tells the server which version of CSP it's > accepting, the server can send back the CSP header in the most recent > format that both the client and server understand (e.g. server knows > CSPv2, client knows CSPv3, server sends CSPv2 header).
That makes no sense. You are saying that servers won't send any policy at all, now, because in the future they might have to send two headers? Gerv _______________________________________________ dev-security mailing list dev-security@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security
