W3C home > Mailing lists > Public > public-webappsec@w3.org > November 2014

Re: [CSP] <meta> clarifications

From: Anne van Kesteren <annevk@annevk.nl>
Date: Mon, 10 Nov 2014 10:13:32 +0100
Message-ID: <CADnb78gDbJhq29a_oALWreHS-o6JBhOJgPA0JjTjYDUt72tWMQ@mail.gmail.com>
To: Brian Smith <brian@briansmith.org>
Cc: "public-webappsec@w3.org" <public-webappsec@w3.org>
On Sun, Nov 9, 2014 at 11:48 PM, Brian Smith <brian@briansmith.org> wrote:
> I think this is reasonable. But, I think it would be better to replace
> "to reduce the risk of content injection before a protective policy
> can be read and enforced" with the more general statement "because
> policies in meta elements are not applied to content that precedes
> them". Also, I think some illustrative examples will help people
> understand what this means. I provide some examples below.

Even that seems questionable given a prescanner. Given

<!DOCTYPE html>
<meta charset="UTF-8">
<meta http-equiv=Content-Security-Policy content="style-src 'none'">
<link rel=stylesheet href=//bad.example.com/bad.css>

does Gecko's or Chromium's prescanner really block because there's a
Content-Security-Policy <meta> present? Are we going to require it to
block?


-- 
https://annevankesteren.nl/
Received on Monday, 10 November 2014 09:13:58 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 14:54:07 UTC