Based on feedback and resulting discussions, I think it is best that we proceed with the User-Agent [1] product token [2] approach for CSP versioning. It will only add ~5 bytes, e.g. CSP/1, to the U-A string and will be easily parsable by servers. I am going to update the CSP spec to reflect this addition.
Cheers, Brandon [1] http://www.w3.org/Protocols/rfc2616/rfc2616-sec14.html#sec14.43 [2] http://www.w3.org/Protocols/rfc2616/rfc2616-sec3.html#sec3.8 On 4/10/09 10:32 AM, Sid Stamm wrote: > If we advertise the version at all (I'm still on the fence here), I > think maybe putting CSP version into the User-Agent header might be > appropriate, since CSP is technically a capability of the user agent. > http://tools.ietf.org/html/rfc2616#section-14.43 > > If indeed the UA gets scrubbed by someone concerned about privacy (or a > proxy/firewall/etc), it seems appropriate that this advertisement of a > user-agent's capability (the CSP version) should get scrubbed too. > > So the UA string is harder to parse than a header containing only this > version, but the syntax is fairly straightforward in RFC 2616. Also, > I'm not seeing a Flash-Version header, or a header that alone advertises > any other browser capabilities, so unless we want to make a new header > and put *all* advertised capabilities in it, User-Agent seems the best > choice. > > Cheers, > Sid > > _______________________________________________ > dev-security mailing list > dev-security@lists.mozilla.org > https://lists.mozilla.org/listinfo/dev-security _______________________________________________ dev-security mailing list dev-security@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security
