- From: Kevin Hill <khill@microsoft.com>
- Date: Fri, 6 Jun 2014 13:39:36 +0000
- To: "public-webappsec@w3.org" <public-webappsec@w3.org>
Looking at section 3.1.3 HTML meta Element of the 1.1 spec. Content security policy (http-equiv="content-security-policy") 1. If the user agent is already enforcing a policy for the document, abort these steps. Is the intent that if a server policy is supplied that any meta elements would be ignored? When I took a first read I skimmed over this part and had thought that meta Element tags would be added to the policies coming from the server. This seems to be how this 1.1 option is implemented in Chrome currently. Or is this trying to capture the potential race condition depending on where a developer places the meta Element in their page?
Received on Monday, 9 June 2014 20:22:46 UTC