RE: ISSUE-30: How to address dynamic application of CSP post page load / partial page load via META or script interface from Fred Andrews on 2012-11-05 (public-webappsec@w3.org from November 2012)

From: Fred Andrews <fredandw@live.com>
Date: Mon, 5 Nov 2012 01:47:37 +0000
To: Web Application Security Working Group <public-webappsec@w3.org>
Message-ID: <BLU002-W334D2C484F5672D3FBFEB4AA640@phx.gbl>

Intersecting the meta element with the HTTP header is the technically secure approach.

Only applying the meta element once when loading and parsing the head section is technically the most secure approach, and this should ideally be done before acting on any script elements.

Ignoring modifications to the CSP via subsequent injection or modification of a meta element or via a script interface is the secure approach.

There is some relevant discussion here: https://bugzilla.mozilla.org/show_bug.cgi?id=663570

cheers
Fred

> Date: Fri, 2 Nov 2012 08:23:59 +0000
> To: public-webappsec@w3.org
> From: sysbot+tracker@w3.org
> Subject: ISSUE-30: How to address dynamic application of CSP post page load / partial page load via META or script interface
> 
> ISSUE-30: How to address dynamic application of CSP post page load / partial page load via META or script interface
> 
> http://www.w3.org/2011/webappsec/track/issues/30
> 
> Raised by: 
> On product: 
> 
> 
> 
> 
>

Received on Monday, 5 November 2012 01:48:05 UTC