- From: Daniel Veditz <dveditz@mozilla.com>
- Date: Tue, 27 Mar 2012 13:37:59 -0700
- To: "Hill, Brad" <bhill@paypal-inc.com>
- CC: "public-webappsec@w3.org" <public-webappsec@w3.org>
On 3/26/12 3:27 PM, Hill, Brad wrote: > * We have heard reports that the META tag is used to delay policy > enforcement: to pre-load some resources outside of CSP > restrictions, then inject it into a page to "lock it down". If > this is to be a supported use-case, I think we need to update the > spec to make this very explicit. While sites might use that approach as a transitional device, I don't think it should be an explicitly supported use-case. The only safe way to use a <meta> policy is to put it first(-ish) in the document to minimize the risk of content injection that could negate it. The HTML spec is clear that <meta "http-equiv"> has to happen in the <head> we should be explicit about that requirement in the CSP spec as well. -Dan Veditz
Received on Tuesday, 27 March 2012 20:38:36 UTC