- From: Tanvi Vyas <tanvi@mozilla.com>
- Date: Tue, 18 Sep 2012 15:17:08 -0700
- To: "public-webappsec@w3.org" <public-webappsec@w3.org>
A couple months ago during our biweekly call we discussed how a csp sandbox directive would be handled when the content security policy is specified in a meta tag. We proposed ignoring the csp sandbox directive if set in a meta policy. This is because the sandbox flag needs to be set on navigation, and the <meta> tag with the policy isn't specified until after navigation and after a principal for the document has already been set. Switching to the null principal after we discover the sandbox directive makes following the same origin policy tricky since we'd already be halfway through parsing the document. Bringing this up on the mailing list for further discussion. Thanks! ~Tanvi
Received on Tuesday, 18 September 2012 22:17:35 UTC