W3C home > Mailing lists > Public > public-web-security@w3.org > April 2012

CSP in meta header unsupported? Link to discussion?

From: John Wilander <john.wilander@owasp.org>
Date: Thu, 26 Apr 2012 11:52:00 +0200
Message-ID: <CALrECXAj_17kvUSdLVeJZPuaBsVdRAXq6LztE5sKkj0z-gHdTA@mail.gmail.com>
To: public-web-security@w3.org
I cannot find any reference to support or non-support for CSP via meta
http-equiv tags in the current draft
https://dvcs.w3.org/hg/content-security-policy/raw-file/tip/csp-specification.dev.html

Also, a search through my email doesn't reveal any obvious discussion on
taking meta header support out. On the contrary, I found several references
to meta header support from 2011. Is there a discussion I've missed?

If meta header support was dropped, have we considered all the
frontend-only apps being built out there? I have several projects of my own
that doesn't have a server-side and with regular hosting providers you
don't get to simply add response headers to the web server.

I would also argue that adoption is far simpler if you can just add a meta
header in the index.html of your single-page app than start configuring the
web server locally, in the test environment and in production with
potential changes in outgoing filters etc. Even scoping is much simpler
with a meta header in a static file instead of configuring response headers
per context root.

Thoughts?

   Regards, John

-- 
John Wilander, https://twitter.com/johnwilander
Chapter co-leader OWASP Sweden, http://owaspsweden.blogspot.com
Conf Comm, http://www.owasp.org/index.php/Global_Conferences_Committee
My music http://www.johnwilander.com & my résumé http://johnwilander.se
Received on Thursday, 26 April 2012 09:52:34 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Thursday, 26 April 2012 09:52:35 GMT