On 10/04/09 16:46, Brandon Sterne wrote:
I'm not 100% thrilled with the idea either, mostly because parsing the U-A string could be challenging for some sites. But it does seems to be the least bad idea I've heard. We can certainly minimize U-A bloat by making our subproduct something like "CSP/1". I'm certainly open to other suggestions, though.
Why does the CSP technology get to advertise and version itself in this way when no other technology the browser supports does? If we allow CSP to send version information in every HTTP request, what other technologies are going to want it? "I support <video>". "I support HTML5". Etc. I think the slippery slope argument has validity here.
Why not start versioning when we reach version 2 (i.e. there are two versions to distinguish), if that ever happens?
Gerv _______________________________________________ dev-security mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security
