Sid Stamm wrote on 7/23/2009 11:41 AM: > On 7/23/09 9:36 AM, Bil Corry wrote: >> And that section conflicts with what is said earlier in the document, >> specifically: >> "When multiple instances of the X-Content-SecurityPolicy HTTP header are >> present in an HTTP response, the intersection of the policies is enforced" >> vs. >> "If multiple X-Content-Security-Policy headers are present in the HTTP >> response, then the first one encountered is used and the rest are discarded." >> and >> "Only the first X-Content-Security-Policy Response header received by the >> user agent will be considered; any additional X-Content-Security-Policy HTTP >> Response headers in the same response will be ignored." > Fixed. Multiple header instances cause the policies to be intersected. > This is more-or-less a replacement for meta tag support, which has been > dropped.
There's still one sentence about it lingering under "Activation and Enforcement" that needs to be removed. I think the section labeled "Policy Refinements with a Multiply-Specified Header" would be more clear if renamed to "Policy Intersection with Multiple Headers" or something similar. - Bil _______________________________________________ dev-security mailing list dev-security@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security
