On 7/23/09 11:25 AM, Bil Corry wrote: > Sid Stamm wrote on 7/23/2009 11:41 AM: >> On 7/23/09 9:36 AM, Bil Corry wrote: >>> And that section conflicts with what is said earlier in the document, >>> specifically: >>> "When multiple instances of the X-Content-SecurityPolicy HTTP header are >>> present in an HTTP response, the intersection of the policies is enforced" >>> vs. >>> "If multiple X-Content-Security-Policy headers are present in the HTTP >>> response, then the first one encountered is used and the rest are >>> discarded." >>> and >>> "Only the first X-Content-Security-Policy Response header received by the >>> user agent will be considered; any additional X-Content-Security-Policy >>> HTTP Response headers in the same response will be ignored." >> Fixed. Multiple header instances cause the policies to be intersected. >> This is more-or-less a replacement for meta tag support, which has been >> dropped. > There's still one sentence about it lingering under "Activation and > Enforcement" that needs to be removed. Thanks for catching this. Fixed.
> I think the section labeled "Policy Refinements with a Multiply-Specified > Header" would be more clear if renamed to "Policy Intersection with Multiple > Headers" or something similar. Good call. Done. It's difficult to capture "policy refinements when the X-Content-Security-Policy header appears many times" into a small section header. -Sid _______________________________________________ dev-security mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security
