Daniel Veditz wrote on 7/23/2009 10:32 AM: > Sid has updated the Content Security Policy spec to address some of the > issues discussed here. https://wiki.mozilla.org/Security/CSP/Spec
Under "Policy Refinements with a Multiply-Specified Header" there is a misspelling of "X-Content-SecurityPolicy". And that section conflicts with what is said earlier in the document, specifically: "When multiple instances of the X-Content-SecurityPolicy HTTP header are present in an HTTP response, the intersection of the policies is enforced" vs. "If multiple X-Content-Security-Policy headers are present in the HTTP response, then the first one encountered is used and the rest are discarded." and "Only the first X-Content-Security-Policy Response header received by the user agent will be considered; any additional X-Content-Security-Policy HTTP Response headers in the same response will be ignored." - Bil _______________________________________________ dev-security mailing list dev-security@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security