CSP Sandbox directive and meta tag - CSP 1.1

A couple months ago during our biweekly call we discussed how a csp 
sandbox directive would be handled when the content security policy is 
specified in a meta tag.  We proposed ignoring the csp sandbox directive 
if set in a meta policy.  This is because the sandbox flag needs to be 
set on navigation, and the <meta> tag with the policy isn't specified 
until after navigation and after a principal for the document has 
already been set.  Switching to the null principal after we discover the 
sandbox directive makes following the same origin policy tricky since 
we'd already be halfway through parsing the document.

Bringing this up on the mailing list for further discussion. Thanks!

~Tanvi

Received on Tuesday, 18 September 2012 22:17:35 UTC