diff --git a/csp-specification.dev.html b/csp-specification.dev.html --- a/csp-specification.dev.html +++ b/csp-specification.dev.html @@ -291,16 +291,23 @@ inject CSP policies into vulnerable documents.
report-uri
directive in CSP policies
obtained from meta
elements. This requirement
mitigates one attack that might result from an injected policy.
It also provides a carrot for supplying the policy in an HTTP
header, which is better for security.sandbox
and frame-options
+ directives before starting to render a document in a frame,
+ When either of these directives are encountered in a
+ meta
element the user agent MUST ignore them and SHOULD
+ report a warning to the developer console.meta
element as early as possible in their document to reduce the risk
of an attacker injecting another policy in front.meta
elements that get
inserted after the document's readyState reaches "interactive".
This requirement further mitigates the risk of the
meta
element being injected. (Is this requirement
@@ -1461,16 +1468,20 @@ token = <token from RFC 2
When enforcing the sandbox
directive, the user agent
MUST parse
the sandboxing directive using the directive-value
as the input and protected resource's
forced sandboxing flag set
as the output. [[!HTML5]]
The sandbox
directive MUST be ignored when found in a
+ policy specified in a meta
element. The user agent SHOULD
+ report a warning to the developer console.
HTML5 defines a
sandbox
attribute
for iframe
elements, intended to allow web authors to
reduce the risk of including potentially untrusted content by imposing
restrictions on that content's abilities. When the attribute is set,