W3C home > Mailing lists > Public > public-webappsec@w3.org > June 2014

Re: Header Policy Vs. Meta tag policy

From: Daniel Veditz <dveditz@mozilla.com>
Date: Wed, 11 Jun 2014 09:00:45 -0700
Message-ID: <53987D2D.6010606@mozilla.com>
To: Mike West <mkwst@google.com>
CC: Kevin Hill <khill@microsoft.com>, "public-webappsec@w3.org" <public-webappsec@w3.org>
On 6/11/2014 12:20 AM, Mike West wrote:
> Thanks Dan. I agree with your analysis, and I appreciate you withdrawing
> your objection.
>
> I've made this change in
> https://github.com/w3c/webappsec/commit/f697c40eea84b6c57480c0e3783993a47ebdc3d5
>
> WDYT?

To be clear, your change does two things and we were mainly talking 
about the first:
  * allows use of both HTTP and <meta> CSP
  * allows use of multiple <meta> CSP

The arguments against (and in favor of) multiple <meta> CSP are pretty 
much the same as the arguments for and against allowing a combination of 
header and <meta> policies. "It's useful, and why not since it can only 
tighten policies" vs. "Injection bug in site might be used to circumvent 
a feature whose main purpose assumes you need protection from injection 
bugs". I'm not objecting to the change, just announcing my intention to 
sit in the corner and fret about the possibility.

-Dan Veditz
Received on Wednesday, 11 June 2014 16:01:13 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 14:54:05 UTC