Lots of great thoughts in this thread! I wanted to elaborate a bit here:
> > It seems natural that a subdownload should be able to say e.g. Content- > > Security-Policy: callers <originlist> > That's not too far off from what frame-ancestors does (which was also a > scope-creep). Could they be combined in some way? > > I'd like something like that, but won't concerned sites want to enforce > it server-side? A reliable Referer, or the Origin/Sec-From header would > seem more useful there. Some might, but that basically requires the server to send Vary: Origin or Vary: Sec-From for all resources returned. This seems like it could potentially impair performance for otherwise cacheable resources. _______________________________________________ dev-security mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security
