yoavweiss
commented
8 years ago Yeah, either approach is fine. I'm hoping to refer to the appropriate sections in CSP in order to "inherit" that language from it, as the behavior we need from it is similar. We want meta tags to be able to apply a stricter policy, but not relax it (e.g. we don't want a script running in the context of the main page to be able to turn off CPP)
RByers
Most CSP policies can be provided via either an HTTP header or an
<meta http-equiv>tag. I assume either approach is fine here, right? Should the spec say this explicitly somewhere?