- From: Fred Andrews <fredandw@live.com>
- Date: Tue, 27 Nov 2012 23:45:53 +0000
- To: "Hill, Brad" <bhill@paypal-inc.com>, "public-webappsec@w3.org" <public-webappsec@w3.org>
Received on Tuesday, 27 November 2012 23:46:21 UTC
Dear Brad, Using a <meta> element for the CSP is problematic and I recommend it be moved to an attribute on the <html> element. Further I recommend that injection of such an attribute be ignored so that only the static markup can have any effect. Using a <meta> element opens a range of complex issues, such as synchronizing the start of a CSP with ongoing asynchronous page load actions and the retrospective application of restrictions to running JS contexts. To make it reliable might require the introduction of a dependency notation and this may not be worth the effort. The security work of PUA CG requires a static mechanism for specifying the CSP to avoid the initiation of the CSP being used to leak information and a <html> attribute will likely be used to avoid having to reading ahead for a CSP <meta> element. This appears much easier to implement and would be a subset of the proposed CSP 1.1 <meta> element and perhaps it would be adequate and better suit browser vendors anyway. cheers Fred From: bhill@paypal-inc.com To: public-webappsec@w3.org Date: Tue, 27 Nov 2012 22:01:20 +0000 Subject: [webappsec] Call for Consensus: CSP 1.1 to FPWD
Received on Tuesday, 27 November 2012 23:46:21 UTC