[whatwg] Clickjacking and CSRF
bil at corry.biz
Wed Jul 22 15:51:33 PDT 2009
Aryeh Gregor wrote on 7/22/2009 5:47 PM:
> On Wed, Jul 22, 2009 at 1:56 PM, Bil Corry<bil at corry.biz> wrote:
>> The idea here is 'when in doubt, favor the more restrictive option.' There shouldn't be both headers, but if there are, then CSP wins.
> Ah, I see, you'd only send one header. Well, it still seems like it
> might be a little more confusing to have essential data split across
> multiple places (e.g., policy file vs. header name).
To clarify, I was thinking this would run CSP in report-only mode:
X-Content-Security-Policy-ReportOnly: allow self
Then when you're satisfied with the ruleset, you merely rename the header to actually kick it on:
X-Content-Security-Policy: allow self
More information about the whatwg