Meta tag verification

For a while now, I've had rather mixed feelings about CSP in the meta tag.
Namely, it seems a little too easy to shoot oneself in the foot by doing
something as simple as putting a title tag with user content above it.

That having been said, I've also been recently convinced that it's probably
necessary. Header bloat is getting out of control, plus it's much easier to
manage.

So why not get the best of both? I propose a meta-integrity CSP directive
(that's HTTP header only) that holds a hash of the CSP policy in the meta
tag. This would guarantee that the meta tag CSP is the one the server
intended. This would eliminate all of the concerns I've heard of about the
meta tag, while still providing its flexibility.

Personally, I'd go one step further and mandate that a meta-integrity be
present in the HTTP header if the developer wants to use a meta tag CSP,
but I suspect developers might find that overbearing.

Any thoughts on all of this?
-Joel

Received on Saturday, 1 March 2014 01:07:02 UTC