CSP 1.1: Add non-normative language for extensions.

mikewest · mikewest · commit 73963d509b20 · 2014-02-27T14:10:00.000+01:00
After discussion outside the WG, on the list[1] and on the 2014-02-16 call[2], the WG decided to revisit the change in [3]. The language in this patch seems like a compromise that everyone can accept. [1]: http://lists.w3.org/Archives/Public/public-webappsec/2014Feb/0098.html [2]: http://www.w3.org/2014/02/26-webappsec-minutes.html [3]: cbfaa8e
diff --git a/specs/content-security-policy/csp-specification.dev.html b/specs/content-security-policy/csp-specification.dev.html
@@ -913,6 +913,10 @@ <h3>Processing Model</h3>
         usurp the resource's privileges that have been restricted in this
         way.</p>
 
+        <p>Note that user agents may allow users to modify or bypass policy
+        enforcement through user preferences, bookmarklets, third-party
+        additions to the user agent, and other such mechanisms.</p>
+
         <p>To <dfn id="monitor">monitor</dfn> a policy, the user agent MUST
         <a href="#parse-a-policy">parse the policy</a> and monitor each of
         the directives contained in the policy.</p>
