W3C home > Mailing lists > Public > public-webappsec@w3.org > March 2012

Re: [webappsec] CSP META tag support - keep or remove?

From: Daniel Veditz <dveditz@mozilla.com>
Date: Tue, 27 Mar 2012 13:37:59 -0700
Message-ID: <4F722527.8020300@mozilla.com>
To: "Hill, Brad" <bhill@paypal-inc.com>
CC: "public-webappsec@w3.org" <public-webappsec@w3.org>
On 3/26/12 3:27 PM, Hill, Brad wrote:
> * We have heard reports that the META tag is used to delay policy
> enforcement: to pre-load some resources outside of CSP
> restrictions, then inject it into a page to "lock it down".  If
> this is to be a supported use-case, I think we need to update the
> spec to make this very explicit.

While sites might use that approach as a transitional device, I
don't think it should be an explicitly supported use-case. The only
safe way to use a <meta> policy is to put it first(-ish) in the
document to minimize the risk of content injection that could negate it.

The HTML spec is clear that <meta "http-equiv"> has to happen in the
<head> we should be explicit about that requirement in the CSP spec
as well.

-Dan Veditz
Received on Tuesday, 27 March 2012 20:38:36 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Tuesday, 27 March 2012 20:38:37 GMT