Skip to content

/ webappsec

Permalink
Browse files

CSP 1.1: Add non-normative language for extensions. 

After discussion outside the WG, on the list[1] and on the
2014-02-16 call[2], the WG decided to revisit the change in
[3]. The language in this patch seems like a compromise that
everyone can accept.

[1]: http://lists.w3.org/Archives/Public/public-webappsec/2014Feb/0098.html
[2]: http://www.w3.org/2014/02/26-webappsec-minutes.html
[3]: cbfaa8e
  • Loading branch information
@mikewest
mikewest committed Feb 27, 2014
1 parent 44e2a2a commit 73963d509b20513a6f42b1e0839715aca8b578b0
Unified Split
Showing with 4 additions and 0 deletions.
  1. +4 −0 specs/content-security-policy/csp-specification.dev.html
4 specs/content-security-policy/csp-specification.dev.html
View file
@@ -913,6 +913,10 @@ <h3>Processing Model</h3>
usurp the resource's privileges that have been restricted in this
way.</p>

<p>Note that user agents may allow users to modify or bypass policy

This comment has been minimized.

Sign in to view
Copy link
@pombredanne

pombredanne Mar 3, 2014

Why may and not should?

This comment has been minimized.

Sign in to view
Copy link
@metromoxie

metromoxie Mar 3, 2014

Contributor

Please see http://lists.w3.org/Archives/Public/public-webappsec/2014Mar/0005.html for more background on this. That particular email sums it up pretty well, although the discussion on the thread goes into much more depth.
enforcement through user preferences, bookmarklets, third-party
additions to the user agent, and other such mechanisms.</p>

<p>To <dfn id="monitor">monitor</dfn> a policy, the user agent MUST
<a href="#parse-a-policy">parse the policy</a> and monitor each of
the directives contained in the policy.</p>

0 comments on commit 73963d5

Please sign in to comment.