Meta tags provide equivalent behaviour to sending HTTP headers via the “http-equiv” attribute.
Set-Cookie can be used to provide cookies to the user via this attribute: <meta http-equiv="Set-Cookie" content="meta=tag"> However this behaviour isn’t restrictable via a Content Security Policy. This gives an attacker the ability to change a users cookies via an XSS exploit and also fixate session cookies. Impact on the Web: The HTML specification has removed this behaviour: https://github.com/whatwg/html/pull/3649 Web platform tests: https://github.com/w3c/web-platform-tests/blob/master/cookies/meta-blocked.html Chrome removed in version 65 and it appears Edge has implemented the changes to land in the next release. The usage of the feature is intermittent according to Chrome: “shows up on ~0.02% of pages, with intermittent spikes up to ~0.06%. Cloudflare's error page seems like a reasonable explanation of this behavior”. Chrome’s intent to deprecate: https://groups.google.com/a/chromium.org/forum/#!msg/blink-dev/0sJ8GUJO0Dw/iMmcXLIGBAAJ Chrome code: https://bugs.chromium.org/p/chromium/issues/detail?id=767813 Removal implementation: The rollout strategy is to disable via a preference and let it ride the releases to stable. Firefox will remove access to this feature in Firefox 62 The work will commence in: https://bugzilla.mozilla.org/show_bug.cgi?id=1457503 Kind regards Jonathan _______________________________________________ dev-platform mailing list dev-platform@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-platform