[CSP] Server is not a valid conforming class of product #25
Description
The spec constantly speaks as if Server is a valid conforming class. However, all conformance requirements for servers are "MAY". This clearly indicates that the server is not a conforming class, but more of a thing that emits policies to be enforced by the client (hence, anything to do with the server can only ever be "authoring guidelines" at best!).
I would recommend dropping the server as a conforming class and changing all "server MAY" statements to statements of fact: "A server can".
Consider, these are all TRUE facts:
- A server can send more than one HTTP header field named Content-Security-Policy with a given resource representation.
- A server can send different Content-Security-Policy header field values with different representations of the same resource or with different resources.
- A server can send more than one HTTP header field named Content-Security-Policy-Report-Only with a given resource representation.
- and so on... you get the idea. Given the facts above, the user agent (client) is forced to deal with the above situations through the algorithms defined in the specification.
That sets more realistic expectations about what conforming user agents can expect from server responses - specially when they servers send "funky" things that the client needs to make sense of and enforce.