Gervase Markham wrote on 4/7/2009 6:07 AM: > On 07/04/09 07:36, Daniel Veditz wrote: >> Maybe this does point out the need for some kind of version number in >> the header, so future browsers can take appropriate action when >> encountering an old header. For example, assuming "none" for any newly >> added types. > > I much prefer forwardly-compatible designs to version numbers.
It has to work both ways; old CSP clients need to be able to parse new CSP rules that are unknown to them and new CSP clients need to be able to parse old CSP rules. Where it will become a challenge is anytime something implicit has its meaning changed (e.g. the default is "x" in CSPv1 and "y" in CSPv2). - Bil _______________________________________________ dev-security mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security
