W3C home > Mailing lists > Public > public-webappsec@w3.org > March 2014

Meta tag verification

From: Joel Weinberger <jww@chromium.org>
Date: Fri, 28 Feb 2014 17:06:34 -0800
Message-ID: <CAHQV2K=2Ck170evajP3iY8RjTJep6FY6v_No5U+gDuYn5Tyokw@mail.gmail.com>
To: public-webappsec@w3.org
For a while now, I've had rather mixed feelings about CSP in the meta tag.
Namely, it seems a little too easy to shoot oneself in the foot by doing
something as simple as putting a title tag with user content above it.

That having been said, I've also been recently convinced that it's probably
necessary. Header bloat is getting out of control, plus it's much easier to
manage.

So why not get the best of both? I propose a meta-integrity CSP directive
(that's HTTP header only) that holds a hash of the CSP policy in the meta
tag. This would guarantee that the meta tag CSP is the one the server
intended. This would eliminate all of the concerns I've heard of about the
meta tag, while still providing its flexibility.

Personally, I'd go one step further and mandate that a meta-integrity be
present in the HTTP header if the developer wants to use a meta tag CSP,
but I suspect developers might find that overbearing.

Any thoughts on all of this?
-Joel
Received on Saturday, 1 March 2014 01:07:02 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 14:54:04 UTC