ISSUE-35: Should we add an "httpOnly" like directive to CSP to indicate that the state of this policy is not available to the script APIs?

Should we add an "httpOnly" like directive to CSP to indicate that the state of this policy is not available to the script APIs?

State:
CLOSED
Product:
CSP Level 2
Raised by:
Opened on:
2012-11-02
Description:
Related Actions Items:
No related actions
Related emails:
No related emails

Related notes:

consensus at 4/25 F2F is no, but that some potentially sensitive parts of the policy should just be removed from the script interface entirely (especially reportURIs[])

Brad Hill, 25 Apr 2013, 18:23:15

Display change log ATOM feed

Daniel Veditz <dveditz@mozilla.com>, Mike West <mkwst@google.com>, Chairs, Wendy Seltzer <wseltzer@w3.org>, Samuel Weiler <weiler@w3.org>, Staff Contacts
Tracker: documentation, (configuration for this group), originally developed by Dean Jackson, is developed and maintained by the Systems Team <w3t-sys@w3.org>.
$Id: 35.html,v 1.1 2020/01/17 08:52:30 carcone Exp $