W3C home > Mailing lists > Public > public-webappsec@w3.org > November 2014

Re: [CSP] Clarifications regarding the HTTP LINK Header

From: Boris Zbarsky <bzbarsky@mit.edu>
Date: Wed, 12 Nov 2014 21:19:15 -0500
Message-ID: <54641523.6040904@mit.edu>
To: public-webappsec@w3.org
On 11/12/14, 7:24 PM, Brian Smith wrote:
> Perhaps, instead, we should require the browser to look for <meta
> http-equiv=Content-Security-Policy> during prescanning, and do
> prescanning before processing any LINK headers?

What would the latter mean, exactly?  Or more precisely, can you define 
what "prescanning" means here?

> This would make prescanning required, and it would require
> an authoring requirement that <meta
> http-equiv=Content-Security-Policy> appear in the first 1024 bytes,

This seems like a failure mode where just managing to inject some bytes 
you don't even control at the beginning of the document disables CSP...

-Boris
Received on Thursday, 13 November 2014 02:19:43 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 14:54:08 UTC