Sid Stamm wrote on 1/12/2009 3:19 PM: > It seems to me that unless client browsers *never* send CSP-related > data to the server then the server can ultimately determine which > clients are using CSP.
I agree, without the client advertising CSP-support, sites will test for CSP just as they test for JavaScript, cookies, etc. You could probably test for CSP by using policy-uri, if the browser requests it from your server, then it supports CSP. To prevent an attacker from causing a browser to load it ala CSRF, you could even add a nonce to the request: X-Content-Security-Policy: policy-uri /policy.csp?nonce=ABC123 - Bil _______________________________________________ dev-security mailing list dev-security@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security