Thanks for the feedback. It's the policy from the HTML page that matters. I'll clarify the spec.
Adam On Fri, Oct 12, 2012 at 5:13 AM, Marc Stern <[email protected]> wrote: > If my page loads a script on api.google.com, it is not clear if the > user-agent, when parsing the google script, has to comply with the > X-Content-Security-Policy header from my (HTML) page or with the one sent by > the Javascript page. > > Could you clarify this? > > Thanks > > Marc >
