- From: John Wilander <john.wilander@owasp.org>
- Date: Thu, 26 Apr 2012 11:52:00 +0200
- To: public-web-security@w3.org
- Message-ID: <CALrECXAj_17kvUSdLVeJZPuaBsVdRAXq6LztE5sKkj0z-gHdTA@mail.gmail.com>
I cannot find any reference to support or non-support for CSP via meta http-equiv tags in the current draft https://dvcs.w3.org/hg/content-security-policy/raw-file/tip/csp-specification.dev.html Also, a search through my email doesn't reveal any obvious discussion on taking meta header support out. On the contrary, I found several references to meta header support from 2011. Is there a discussion I've missed? If meta header support was dropped, have we considered all the frontend-only apps being built out there? I have several projects of my own that doesn't have a server-side and with regular hosting providers you don't get to simply add response headers to the web server. I would also argue that adoption is far simpler if you can just add a meta header in the index.html of your single-page app than start configuring the web server locally, in the test environment and in production with potential changes in outgoing filters etc. Even scoping is much simpler with a meta header in a static file instead of configuring response headers per context root. Thoughts? Regards, John -- John Wilander, https://twitter.com/johnwilander Chapter co-leader OWASP Sweden, http://owaspsweden.blogspot.com Conf Comm, http://www.owasp.org/index.php/Global_Conferences_Committee My music http://www.johnwilander.com & my résumé http://johnwilander.se
Received on Thursday, 26 April 2012 09:52:34 UTC