Hi Dan,
You raise some excellent questions... you know, I hadn't really thought
about what to do about reporting inline script violations. I think the
intention was to just *not run* the violating script, but reporting the
violation is definitely a good idea since much of XSS happens this way.
D
Sid Stamm wrote:
>> Also, the “blocked-headers” is defined as required, but not all
>> schemes (specifically, FTP and FILE) do not use headers.
> Removed the requirement to send "request-headers" from the XML schema
> (implied optional).
Just jumping off here on a related topic: What do we send as
Hi Eric,
I've addressed many of your (excellent) comments in the Spec. Thanks
for the feedback! Status of each point is inline:
On 7/5/09 5:28 PM, EricLaw wrote:
---
Versioning
---
Server CSP Versioning
Can the server define which version of CSP policies it wants to