[whatwg] Clickjacking and CSRF
Aryeh Gregor
Simetrical+w3c at gmail.com
Wed Jul 22 15:47:09 PDT 2009
On Wed, Jul 22, 2009 at 1:56 PM, Bil Corry<bil at corry.biz> wrote:
> The idea here is 'when in doubt, favor the more restrictive option.' There shouldn't be both headers, but if there are, then CSP wins.
Ah, I see, you'd only send one header. Well, it still seems like it
might be a little more confusing to have essential data split across
multiple places (e.g., policy file vs. header name).
> It's valuable to set them up for as much success as possible.
It's a detail that I don't think is really a big deal in any event, so
I have no strong opinion. I do think that some report-only mode would
be almost essential for safe deployment in complicated preexisting
apps.
More information about the whatwg
mailing list