W3C home > Mailing lists > Public > public-webappsec@w3.org > November 2012

RE: ISSUE-30: How to address dynamic application of CSP post page load / partial page load via META or script interface

From: Fred Andrews <fredandw@live.com>
Date: Mon, 5 Nov 2012 01:47:37 +0000
Message-ID: <BLU002-W334D2C484F5672D3FBFEB4AA640@phx.gbl>
To: Web Application Security Working Group <public-webappsec@w3.org>

Intersecting the meta element with the HTTP header is the technically secure approach.

Only applying the meta element once when loading and parsing the head section is technically the most secure approach, and this should ideally be done before acting on any script elements.

Ignoring modifications to the CSP via subsequent injection or modification of a meta element or via a script interface is the secure approach.

There is some relevant discussion here: https://bugzilla.mozilla.org/show_bug.cgi?id=663570

cheers
Fred

> Date: Fri, 2 Nov 2012 08:23:59 +0000
> To: public-webappsec@w3.org
> From: sysbot+tracker@w3.org
> Subject: ISSUE-30: How to address dynamic application of CSP post page load / partial page load via META or script interface
> 
> ISSUE-30: How to address dynamic application of CSP post page load / partial page load via META or script interface
> 
> http://www.w3.org/2011/webappsec/track/issues/30
> 
> Raised by: 
> On product: 
> 
> 
> 
> 
> 
 		 	   		  
Received on Monday, 5 November 2012 01:48:05 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Monday, 5 November 2012 01:48:06 GMT