On 6-Apr-09, at 6:56 AM, Gervase Markham wrote:
- "When both a X-Content-Security-Policy HTTP header and meta tag
are present, the intersection of the two policies is enforced;
essentially, the browser enforces the most *relaxed* policy
satisfying both the policies specified in the meta tag and header."
Surely you mean "strict", not "relaxed"? The example seems to show
that the resulting policy is more strict than either of the two
source policies.
I think "relaxed" is the intent here, within the context of "the most
relaxed policy *satisfying both* ... the meta tag and header." So the
intersection is more strict than either on its own, but no more strict
than that intersection. I agree that the wording is a bit confusing.
Cheers,
J
---
Johnathan Nightingale
Human Shield
[email protected]
_______________________________________________
dev-security mailing list
[email protected]
https://lists.mozilla.org/listinfo/dev-security
