W3C home > Mailing lists > Public > public-webappsec@w3.org > March 2012

Re: [webappsec] CSP META tag support - keep or remove?

From: Tom Ritter <tom@ritter.vg>
Date: Tue, 27 Mar 2012 17:00:45 -0400
Message-ID: <CA+cU71=Y+r98zuOzdGuCRawpvgnkootwrNTJjWzpqmeezZj5cg@mail.gmail.com>
To: Daniel Veditz <dveditz@mozilla.com>
Cc: "Hill, Brad" <bhill@paypal-inc.com>, "public-webappsec@w3.org" <public-webappsec@w3.org>
On 27 March 2012 16:37, Daniel Veditz <dveditz@mozilla.com> wrote:
> On 3/26/12 3:27 PM, Hill, Brad wrote:
>> * We have heard reports that the META tag is used to delay policy
>> enforcement: to pre-load some resources outside of CSP
>> restrictions, then inject it into a page to "lock it down".  If
>> this is to be a supported use-case, I think we need to update the
>> spec to make this very explicit.
>
> While sites might use that approach as a transitional device, I
> don't think it should be an explicitly supported use-case. The only
> safe way to use a <meta> policy is to put it first(-ish) in the
> document to minimize the risk of content injection that could negate it.

I was likewise kind of surprised this was used and reliable enough to
be even quasi-recommended or suggested, but not having tested it at
all, I didn't want to be the first to say so.

-tom
Received on Tuesday, 27 March 2012 21:01:34 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Tuesday, 27 March 2012 21:01:34 GMT