W3C home > Mailing lists > Public > public-webappsec@w3.org > June 2014

Header Policy Vs. Meta tag policy

From: Kevin Hill <khill@microsoft.com>
Date: Fri, 6 Jun 2014 13:39:36 +0000
To: "public-webappsec@w3.org" <public-webappsec@w3.org>
Message-ID: <edb513c92cee4764bc0aef3b6fccf9bf@SN2PR03MB031.namprd03.prod.outlook.com>
Looking at section 3.1.3 HTML meta Element of the 1.1 spec.

Content security policy (http-equiv="content-security-policy")
1. If the user agent is already enforcing a policy for the document, abort these steps.

Is the intent that if a server policy is supplied that any meta elements would be ignored? 

When I took a first read I skimmed over this part and had thought that meta Element tags would be added to the policies coming from the server. This seems to be how this 1.1 option is implemented in Chrome currently.

Or is this trying to capture the potential race condition depending on where a developer places the meta Element in their page?
Received on Monday, 9 June 2014 20:22:46 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 18:54:39 UTC