On 08/07/09 18:22, Bil Corry wrote:
If the hosting company is providing an interface to add one or more additional CSP headers, then wouldn't it be just as easy for them to provide an interface that constructs a single header?
The scenario here is that they have a set policy, which an individual site owner is permitted to tighten but not loosen. To do that by editing one header would mean that either they'd need to post-check the header to make sure it was no looser than the original, or they'd need to implement the header-merging logic which would otherwise be in the client. Which means N implementations of header merging, some buggy, rather than one.
Header-merging logic in the client should just be a case of setting bits to 1 and not letting them get set back to 0 again. That can't be that hard.
Gerv _______________________________________________ dev-security mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security
