Processing of meta element from David Bruant on 2014-01-30 (public-webappsec@w3.org from January 2014)

From: David Bruant <bruant.d@gmail.com>
Date: Thu, 30 Jan 2014 12:49:58 +0100
To: "public-webappsec@w3.org" <public-webappsec@w3.org>
Message-ID: <52EA3C66.1040107@gmail.com>

Hi,

This is a bit of rehashing of discussions that was had starting at [1] 
on <meta name="referrer">.

For the <meta> element, you need to:
* define how it works in relation to <base>
=> I imagine it'll ignore it.
Related 
http://lists.whatwg.org/htdig.cgi/whatwg-whatwg.org/2012-January/034520.html

* browsers may keep parsing HTML and sending HTTP requests (for link 
@rel stylesheet for instance) while the <meta 
http-equiv="Content-Security-Policy"> is being handled in parallel. 
Should the browser hold off all HTTP requests until the meta-csp is 
fully parsed?
=> I imagine yes, but the spec isn't 100% clear on the topic.

* What if I do the following in my page:
````js
var metaCSP = document.createElement('meta');
metaCSP.setAttribute('http-equiv', "Content-Security-Policy");
metaCSP.setAttribute('content', myCSPPolicy);
document.head.appendChild(metaCSP);
````
This is a dumb thing to do, but nothing prevents it in the current spec 
unless I'm missing something.
It should probably do nothing and the spec should probably suggest 
caring only about parser-inserted meta element.
Likewise, the spec should say that changes to an existing meta will be 
ignored. It's at best implicit in the current prose.

David

[1] https://bugzilla.mozilla.org/show_bug.cgi?id=704320#c9

Received on Thursday, 30 January 2014 11:50:29 UTC