- From: Boris Zbarsky <bzbarsky@mit.edu>
- Date: Wed, 12 Nov 2014 21:19:15 -0500
- To: public-webappsec@w3.org
On 11/12/14, 7:24 PM, Brian Smith wrote: > Perhaps, instead, we should require the browser to look for <meta > http-equiv=Content-Security-Policy> during prescanning, and do > prescanning before processing any LINK headers? What would the latter mean, exactly? Or more precisely, can you define what "prescanning" means here? > This would make prescanning required, and it would require > an authoring requirement that <meta > http-equiv=Content-Security-Policy> appear in the first 1024 bytes, This seems like a failure mode where just managing to inject some bytes you don't even control at the beginning of the document disables CSP... -Boris
Received on Thursday, 13 November 2014 02:19:43 UTC