- From: Fred Andrews <fredandw@live.com>
- Date: Mon, 5 Nov 2012 01:47:37 +0000
- To: Web Application Security Working Group <public-webappsec@w3.org>
Received on Monday, 5 November 2012 01:48:05 UTC
Intersecting the meta element with the HTTP header is the technically secure approach. Only applying the meta element once when loading and parsing the head section is technically the most secure approach, and this should ideally be done before acting on any script elements. Ignoring modifications to the CSP via subsequent injection or modification of a meta element or via a script interface is the secure approach. There is some relevant discussion here: https://bugzilla.mozilla.org/show_bug.cgi?id=663570 cheers Fred > Date: Fri, 2 Nov 2012 08:23:59 +0000 > To: public-webappsec@w3.org > From: sysbot+tracker@w3.org > Subject: ISSUE-30: How to address dynamic application of CSP post page load / partial page load via META or script interface > > ISSUE-30: How to address dynamic application of CSP post page load / partial page load via META or script interface > > http://www.w3.org/2011/webappsec/track/issues/30 > > Raised by: > On product: > > > > >
Received on Monday, 5 November 2012 01:48:05 UTC