Re: [CSP] Clarifications regarding the HTTP LINK Header

On 11/12/14, 7:24 PM, Brian Smith wrote:
> Perhaps, instead, we should require the browser to look for <meta
> http-equiv=Content-Security-Policy> during prescanning, and do
> prescanning before processing any LINK headers?

What would the latter mean, exactly?  Or more precisely, can you define 
what "prescanning" means here?

> This would make prescanning required, and it would require
> an authoring requirement that <meta
> http-equiv=Content-Security-Policy> appear in the first 1024 bytes,

This seems like a failure mode where just managing to inject some bytes 
you don't even control at the beginning of the document disables CSP...


Received on Thursday, 13 November 2014 02:19:43 UTC