CSP in meta header unsupported? Link to discussion?

I cannot find any reference to support or non-support for CSP via meta
http-equiv tags in the current draft

Also, a search through my email doesn't reveal any obvious discussion on
taking meta header support out. On the contrary, I found several references
to meta header support from 2011. Is there a discussion I've missed?

If meta header support was dropped, have we considered all the
frontend-only apps being built out there? I have several projects of my own
that doesn't have a server-side and with regular hosting providers you
don't get to simply add response headers to the web server.

I would also argue that adoption is far simpler if you can just add a meta
header in the index.html of your single-page app than start configuring the
web server locally, in the test environment and in production with
potential changes in outgoing filters etc. Even scoping is much simpler
with a meta header in a static file instead of configuring response headers
per context root.


   Regards, John

John Wilander, https://twitter.com/johnwilander
Chapter co-leader OWASP Sweden, http://owaspsweden.blogspot.com
Conf Comm, http://www.owasp.org/index.php/Global_Conferences_Committee
My music http://www.johnwilander.com & my résumé http://johnwilander.se

Received on Thursday, 26 April 2012 09:52:34 UTC