[whatwg] Clickjacking and CSRF

Bil Corry bil at corry.biz
Wed Jul 22 15:51:33 PDT 2009


Aryeh Gregor wrote on 7/22/2009 5:47 PM: 
> On Wed, Jul 22, 2009 at 1:56 PM, Bil Corry<bil at corry.biz> wrote:
>> The idea here is 'when in doubt, favor the more restrictive option.'  There shouldn't be both headers, but if there are, then CSP wins.
> 
> Ah, I see, you'd only send one header.  Well, it still seems like it
> might be a little more confusing to have essential data split across
> multiple places (e.g., policy file vs. header name).

To clarify, I was thinking this would run CSP in report-only mode:

	X-Content-Security-Policy-ReportOnly: allow self

Then when you're satisfied with the ruleset, you merely rename the header to actually kick it on:

	X-Content-Security-Policy: allow self



- Bil




More information about the whatwg mailing list