- From: Michal Zalewski <lcamtuf@coredump.cx>
- Date: Fri, 21 Jan 2011 14:47:13 -0800
- To: Daniel Veditz <dveditz@mozilla.com>
- Cc: Devdatta Akhawe <dev.akhawe@gmail.com>, gaz Heyes <gazheyes@gmail.com>, Giorgio Maone <g.maone@informaction.com>, Brandon Sterne <bsterne@mozilla.com>, public-web-security@w3.org, Lucas Adamski <ladamski@mozilla.com>
> The <meta> tag raises the issue of what to do if the policy is found > after something that should have been covered by the policy. Ignore > the policy (too late!), ignore the violation (injected scripts win), > maybe reparse the document from the beginning and hope there weren't > earlier violations that matter? Not insurmountable, but definitely > will add to the complexity of the spec. Yes, that's a problem if you allow multiple <meta> tags to specify a single valid policy. In Adam's proposal, the policy must appear in a single tag, which allows you to simply ignore all subsequent <meta>s that would broaden the policy (and it can't be narrowed down, ruling out the risk of policy deployment errors that accidentally give too much access because of this parsing precedence). /mz
Received on Friday, 21 January 2011 22:48:06 UTC