Re: [CSP] violation reports for sandbox

Mike West <mkwst@google.com> wrote:
> On Thu, Nov 6, 2014 at 11:49 PM, Brian Smith <brian@briansmith.org> wrote:
>> Based on your response and others' responses, it is now clear to me
>> that CSP sandbox should not cause violation reports. I think that
>> makes sense and I hope that is also the case for frame-ancestors too.
>
> I've explicitly addressed this in
> https://github.com/w3c/webappsec/commit/971dd0916a7dcb558d3433278203c6930902c281.
> WDYT?

Looks good. I think it would be good to also list the things that
aren't supported in <meta> in a note in section 3.3, which specifies
the <meta> element. This way, the limitations of the <meta> element
become clearer. Additionally, I think there should be a suggestion
that the user agent should issue a warning when a directive is
detected in a <meta> element that isn't supported in the meta element.

Also, is it still intended that Content-Security-Policy-Report-Only
isn't allowed in <meta>? I thought that this restriction was included
back when <meta>- and header-field- specified policies were mutually
exclusive, but now that those rules have changed, does it still make
sense to prohibit <meta
http-equiv=Content-Security-Policy-Report-Only>?

Cheers,
Brian

Received on Monday, 19 January 2015 22:07:49 UTC