[whatwg] Clickjacking and CSRF

Aryeh Gregor Simetrical+w3c at gmail.com
Wed Jul 22 15:47:09 PDT 2009


On Wed, Jul 22, 2009 at 1:56 PM, Bil Corry<bil at corry.biz> wrote:
> The idea here is 'when in doubt, favor the more restrictive option.'  There shouldn't be both headers, but if there are, then CSP wins.

Ah, I see, you'd only send one header.  Well, it still seems like it
might be a little more confusing to have essential data split across
multiple places (e.g., policy file vs. header name).

> It's valuable to set them up for as much success as possible.

It's a detail that I don't think is really a big deal in any event, so
I have no strong opinion.  I do think that some report-only mode would
be almost essential for safe deployment in complicated preexisting
apps.



More information about the whatwg mailing list