Re: [CSP] <meta> clarifications

On Sun, Nov 9, 2014 at 11:48 PM, Brian Smith <brian@briansmith.org> wrote:

> The current draft says "Authors are strongly encouraged to place the
> meta element as early in the document as possible to reduce the risk
> of content injection before a protective policy can be read and
> enforced."
>
> I think this is reasonable. But, I think it would be better to replace
> "to reduce the risk of content injection before a protective policy
> can be read and enforced" with the more general statement "because
> policies in meta elements are not applied to content that precedes
> them". Also, I think some illustrative examples will help people
> understand what this means. I provide some examples below.
>
> Also, I think that the specification should say something like "The
> user agent SHOULD report a warning message in the developer console
> when a <meta> CSP policy follows an element that would have been
> restricted if the <meta> element had preceded it."
>
> Also, the current draft says "the meta element" but I think it should
> instead acknowledge the possibility of multiple "meta elements" and
> mention that all of the meta elements are combined together with the
> rest of the policies from the HTTP headers.
>
> Also, this section has a note that says "The general mechanism for
> determining the effect of enforcing multiple policies is detailed in
> §3.5 Enforcing multiple policies." But, section 3.5 says "This section
> is not normative." The reference should be changed to reference the
> normative text for combining policies.
>

I've (belatedly) addressed these points in
https://github.com/w3c/webappsec/commit/3e856006a34d9f75d28d696c510f055084567c29
.

I haven't added the suggestion regarding a warning message for
already-loaded content; it's not at all clear how we'd implement such a
change, and doesn't really match at least one use case (locking down an
application after it "boots").

WDYT?

-mike

--
Mike West <mkwst@google.com>, @mikewest

Google Germany GmbH, Dienerstrasse 12, 80331 München,
Germany, Registergericht und -nummer: Hamburg, HRB 86891, Sitz der
Gesellschaft: Hamburg, Geschäftsführer: Graham Law, Christine Elizabeth
Flores
(Sorry; I'm legally required to add this exciting detail to emails. Bleh.)

Received on Thursday, 15 January 2015 14:06:55 UTC