Skip to content

Commit

Permalink
Browse files Browse the repository at this point in the history
CSP 1.1: Add non-normative language for extensions.
After discussion outside the WG, on the list[1] and on the
2014-02-16 call[2], the WG decided to revisit the change in
[3]. The language in this patch seems like a compromise that
everyone can accept.

[1]: http://lists.w3.org/Archives/Public/public-webappsec/2014Feb/0098.html
[2]: http://www.w3.org/2014/02/26-webappsec-minutes.html
[3]: cbfaa8e
  • Loading branch information
mikewest committed Feb 27, 2014
1 parent 44e2a2a commit 73963d5
Showing 1 changed file with 4 additions and 0 deletions.
4 changes: 4 additions & 0 deletions specs/content-security-policy/csp-specification.dev.html
Expand Up @@ -913,6 +913,10 @@ <h3>Processing Model</h3>
usurp the resource's privileges that have been restricted in this
way.</p>

<p>Note that user agents may allow users to modify or bypass policy

This comment has been minimized.

Copy link
@pombredanne

pombredanne Mar 3, 2014

Why may and not should?

This comment has been minimized.

Copy link
@metromoxie

metromoxie Mar 3, 2014

Contributor

Please see http://lists.w3.org/Archives/Public/public-webappsec/2014Mar/0005.html for more background on this. That particular email sums it up pretty well, although the discussion on the thread goes into much more depth.

enforcement through user preferences, bookmarklets, third-party
additions to the user agent, and other such mechanisms.</p>

<p>To <dfn id="monitor">monitor</dfn> a policy, the user agent MUST
<a href="#parse-a-policy">parse the policy</a> and monitor each of
the directives contained in the policy.</p>
Expand Down

0 comments on commit 73963d5

Please sign in to comment.