- From: Mike West <mkwst@google.com>
- Date: Thu, 15 Jan 2015 15:05:59 +0100
- To: Brian Smith <brian@briansmith.org>
- Cc: "public-webappsec@w3.org" <public-webappsec@w3.org>
- Message-ID: <CAKXHy=ed9pmoYZ77dePbrrb+tgduv2SCV6zUTXp5eENVthGePg@mail.gmail.com>
On Sun, Nov 9, 2014 at 11:48 PM, Brian Smith <brian@briansmith.org> wrote: > The current draft says "Authors are strongly encouraged to place the > meta element as early in the document as possible to reduce the risk > of content injection before a protective policy can be read and > enforced." > > I think this is reasonable. But, I think it would be better to replace > "to reduce the risk of content injection before a protective policy > can be read and enforced" with the more general statement "because > policies in meta elements are not applied to content that precedes > them". Also, I think some illustrative examples will help people > understand what this means. I provide some examples below. > > Also, I think that the specification should say something like "The > user agent SHOULD report a warning message in the developer console > when a <meta> CSP policy follows an element that would have been > restricted if the <meta> element had preceded it." > > Also, the current draft says "the meta element" but I think it should > instead acknowledge the possibility of multiple "meta elements" and > mention that all of the meta elements are combined together with the > rest of the policies from the HTTP headers. > > Also, this section has a note that says "The general mechanism for > determining the effect of enforcing multiple policies is detailed in > §3.5 Enforcing multiple policies." But, section 3.5 says "This section > is not normative." The reference should be changed to reference the > normative text for combining policies. > I've (belatedly) addressed these points in https://github.com/w3c/webappsec/commit/3e856006a34d9f75d28d696c510f055084567c29 . I haven't added the suggestion regarding a warning message for already-loaded content; it's not at all clear how we'd implement such a change, and doesn't really match at least one use case (locking down an application after it "boots"). WDYT? -mike -- Mike West <mkwst@google.com>, @mikewest Google Germany GmbH, Dienerstrasse 12, 80331 München, Germany, Registergericht und -nummer: Hamburg, HRB 86891, Sitz der Gesellschaft: Hamburg, Geschäftsführer: Graham Law, Christine Elizabeth Flores (Sorry; I'm legally required to add this exciting detail to emails. Bleh.)
Received on Thursday, 15 January 2015 14:06:55 UTC