- From: Joel Weinberger <jww@chromium.org>
- Date: Fri, 28 Feb 2014 17:06:34 -0800
- To: public-webappsec@w3.org
- Message-ID: <CAHQV2K=2Ck170evajP3iY8RjTJep6FY6v_No5U+gDuYn5Tyokw@mail.gmail.com>
For a while now, I've had rather mixed feelings about CSP in the meta tag. Namely, it seems a little too easy to shoot oneself in the foot by doing something as simple as putting a title tag with user content above it. That having been said, I've also been recently convinced that it's probably necessary. Header bloat is getting out of control, plus it's much easier to manage. So why not get the best of both? I propose a meta-integrity CSP directive (that's HTTP header only) that holds a hash of the CSP policy in the meta tag. This would guarantee that the meta tag CSP is the one the server intended. This would eliminate all of the concerns I've heard of about the meta tag, while still providing its flexibility. Personally, I'd go one step further and mandate that a meta-integrity be present in the HTTP header if the developer wants to use a meta tag CSP, but I suspect developers might find that overbearing. Any thoughts on all of this? -Joel
Received on Saturday, 1 March 2014 01:07:02 UTC