On 7/23/09 9:36 AM, Bil Corry wrote: > Under "Policy Refinements with a Multiply-Specified Header" there is a > misspelling of "X-Content-SecurityPolicy". Fixed.
> And that section conflicts with what is said earlier in the document, > specifically: > "When multiple instances of the X-Content-SecurityPolicy HTTP header are > present in an HTTP response, the intersection of the policies is enforced" > vs. > "If multiple X-Content-Security-Policy headers are present in the HTTP > response, then the first one encountered is used and the rest are discarded." > and > "Only the first X-Content-Security-Policy Response header received by the > user agent will be considered; any additional X-Content-Security-Policy HTTP > Response headers in the same response will be ignored." Fixed. Multiple header instances cause the policies to be intersected. This is more-or-less a replacement for meta tag support, which has been dropped. Thanks Bil! -Sid _______________________________________________ dev-security mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security
