Re: [CSP] <meta> clarifications

On Sun, Nov 9, 2014 at 11:48 PM, Brian Smith <> wrote:
> I think this is reasonable. But, I think it would be better to replace
> "to reduce the risk of content injection before a protective policy
> can be read and enforced" with the more general statement "because
> policies in meta elements are not applied to content that precedes
> them". Also, I think some illustrative examples will help people
> understand what this means. I provide some examples below.

Even that seems questionable given a prescanner. Given

<!DOCTYPE html>
<meta charset="UTF-8">
<meta http-equiv=Content-Security-Policy content="style-src 'none'">
<link rel=stylesheet href=//>

does Gecko's or Chromium's prescanner really block because there's a
Content-Security-Policy <meta> present? Are we going to require it to


Received on Monday, 10 November 2014 09:13:58 UTC