Lucas Adamski wrote: > From this discussion I'm still seeing good reasons to have a version > flag; mainly to allow servers to detect whether a given client supports > CSP (and what version of it) in an unequivocal manner.
How do you react to my point that they shouldn't need to know that because, if they do, it means they are relying on CSP, which they shouldn't be? > If a server is to rely on CSP to reliably enforce security constraints If it's doing that, it's broken. CSP is explicitly not designed for this. (As I understand it.) Gerv _______________________________________________ dev-security mailing list dev-security@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security