On 4/6/09 9:17 AM, Johnathan Nightingale wrote:
I think "relaxed" is the intent here, within the context of "the most relaxed policy *satisfying both* ... the meta tag and header." So the intersection is more strict than either on its own, but no more strict than that intersection. I agree that the wording is a bit confusing.
Yeah, that's correct. I must have been over-caffeinated when I wrote that. Here is the new, hopefully clearer text:
"essentially, the browser enforces a policy that is more strict than both the policies specified in the meta tag and header, but only strict enough to correspond to rules in both policies. Any web request that satisfied both policies alone will be accepted by the new policy, but any request rejected by either one or both of the two policies will be rejected."
I also put a kind of formal description following it in the wiki. https://wiki.mozilla.org/Security/CSP/Spec#Policy_Refinements_with_a_META_Tag -Sid _______________________________________________ dev-security mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security
