canmove, Confirmed users
1,537
edits
Security/CSP/Spec: Difference between revisions
Jump to navigation
Jump to search
→User-Agent and Other Client-Side Considerations: no version beacon
(→User-Agent and Other Client-Side Considerations: no version beacon) |
|||
| Line 438: | Line 438: | ||
=User-Agent and Other Client-Side Considerations= | =User-Agent and Other Client-Side Considerations= | ||
; User Scripts : CSP should not interfere with the operation of user-supplied scripts (such as browser add-ons and bookmarklets). | ; User Scripts : CSP should not interfere with the operation of user-supplied scripts (such as browser add-ons and bookmarklets). | ||
| Line 445: | Line 443: | ||
; Redirects to Content : When a resource is requested from a URI ''X[0]'' protected by a policy ''CSP'', that resource's URI is only loaded if permitted by ''CSP''. If the URI ''X[0]'' resolves to an HTTP redirect of any kind (temporary or permanent) the new URI ''X[1]'' is also required to be permitted by the policy ''CSP''. The effect is that all requests generated by the document must be permitted by the CSP whether they are the initial request or the steps taken during a redirect. | ; Redirects to Content : When a resource is requested from a URI ''X[0]'' protected by a policy ''CSP'', that resource's URI is only loaded if permitted by ''CSP''. If the URI ''X[0]'' resolves to an HTTP redirect of any kind (temporary or permanent) the new URI ''X[1]'' is also required to be permitted by the policy ''CSP''. The effect is that all requests generated by the document must be permitted by the CSP whether they are the initial request or the steps taken during a redirect. | ||
; Future Directives : In order to support future directives (or new versions of this spec), CSP must parse but ignore directives with unknown names. When an unknown directive is encountered by the UA, a warning is posted to the error console, and the directive is ignored. | |||
== Report-Only mode == | == Report-Only mode == | ||