Could you clarify this?
Thanks Marc
If my page loads a script on api.google.com, it is not clear if the
user-agent, when parsing the google script, has to comply with the
X-Content-Security-Policy header from my (HTML) page or with the one
sent by the Javascript page.
- CSP spec not clear Marc Stern
- Re: CSP spec not clear Adam Barth
