- From: Anne van Kesteren <annevk@annevk.nl>
- Date: Mon, 10 Nov 2014 10:13:32 +0100
- To: Brian Smith <brian@briansmith.org>
- Cc: "public-webappsec@w3.org" <public-webappsec@w3.org>
On Sun, Nov 9, 2014 at 11:48 PM, Brian Smith <brian@briansmith.org> wrote: > I think this is reasonable. But, I think it would be better to replace > "to reduce the risk of content injection before a protective policy > can be read and enforced" with the more general statement "because > policies in meta elements are not applied to content that precedes > them". Also, I think some illustrative examples will help people > understand what this means. I provide some examples below. Even that seems questionable given a prescanner. Given <!DOCTYPE html> <meta charset="UTF-8"> <meta http-equiv=Content-Security-Policy content="style-src 'none'"> <link rel=stylesheet href=//bad.example.com/bad.css> does Gecko's or Chromium's prescanner really block because there's a Content-Security-Policy <meta> present? Are we going to require it to block? -- https://annevankesteren.nl/
Received on Monday, 10 November 2014 09:13:58 UTC