On 28/10/09 16:23, Gervase Markham wrote: > On 27/10/09 09:33, Adam Barth wrote: >> My technical argument is as follows. I think that CSP would be better >> off with a policy language where each directive was purely subtractive >> because that design would have a number of simplifying effects: > > CSP's precursor, Content Restrictions > http://www.gerv.net/security/content-restrictions/ > was designed to be purely subtractive, for many of the technical reasons > you state. And I do continue to think that it's a better choice.
Having said that, it doesn't preclude the very presence of the header implying some restrictions. It just means that if the presence of the header implies some restrictions, you shouldn't be able to remove those restrictions by adding tokens to the header. Gerv _______________________________________________ dev-security mailing list dev-security@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security