On 03/15/2010 03:26 AM, Gervase Markham wrote: > On 12/03/10 22:45, Nick Kralevich wrote: >> To me, it seems valuable to support both X-Content-Security-Policy >> and X-Content-Security-Policy-Report-Only, as it allows sites to test new >> restrictions without disrupting their current restrictions. > > That's a very good point IMO. > > Gerv
I agree this is a good point and was discussing it today with a couple of people. Our thought was that CSP, in the presence of both headers, could maintain two separate policies. As we then do the various checks we would refer to each policy in kind and take the appropriate action, whether it's blocking some content in the case of the "real" policy, or generating a violation report in the case of the report-only policy. The root element in the violation reports (which is switching to JSON, btw. Bug 548193) could be different based on whether it was the real policy or the report-only policy that was violated. I'll be filing a bug shortly to track this change. Does this address your concerns, Nick? -Brandon _______________________________________________ dev-security mailing list dev-security@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security