Re: Allow CSP on HTML tags

Sun, 28 Feb 2010 18:45:28 -0800 

Thanks, Bil, for enlightening me.
Actually I still can't find a fair reason for omitting the option of allowing HTML <meta> tags to provide CSP directives. 


* By means of the intersection algorithm, a <meta> CSP directive can only 
tighten security but not loosen.



* Disallowing <meta> tags would cause a significant number of private 
websites to not being able to use this security feature. Does someone really 
want to exclude all these users from the spec? Just because it would cause 
more effort implementing it? What's more important?


Regards,
Axel Dahmen



-------------------------

"Bil Corry" <[email protected]> schrieb im Newsbeitrag 
news:[email protected]...

Axel Dahmen wrote on 2/28/2010 5:28 AM:

I've read through the CSP specs

(https://wiki.mozilla.org/Security/CSP/Spec#Source_Expression_List) and 
the

Talk (https://wiki.mozilla.org/Talk:Security/CSP/Spec)...

What I'm missing is a statement about allowing CSP directives in HTML
<meta>
tags.

Use case:
---------
My provider just provides the ability to upload HTML and related content,
but they don't provide an option to manipulate the server's output to any

degree. So configuring HTTP response headers is not possible here. 
However,

I want to protect my web pages just like any other. So the only option I
would have to get CSP applied would be through using HTML <meta> tags.



CSP used to support <meta> policies, but was removed.  You probably want 
to read through these:


http://blog.sidstamm.com/2009/06/csp-with-or-without-meta.html
http://groups.google.com/group/mozilla.dev.security/browse_thread/thread/571f1495e6ccf822/cf15e2be59a72734?lnk=gst&q=meta#cf15e2be59a72734
http://groups.google.com/group/mozilla.dev.security/browse_thread/thread/c0f1a44e4fb98859/31465e3d46ccf806?lnk=gst&q=meta#31465e3d46ccf806
http://groups.google.com/group/mozilla.dev.security/browse_thread/thread/87ebe5cb9735d8ca/f9167000431aa6a4?lnk=gst&q=meta#f9167000431aa6a4
http://groups.google.com/group/mozilla.dev.security/browse_thread/thread/571f1495e6ccf822/5f75c00c023696bd?lnk=gst&q=meta#5f75c00c023696bd
http://groups.google.com/group/mozilla.dev.security/browse_thread/thread/87ebe5cb9735d8ca/87796e2d9caeb36f?lnk=gst&q=meta#87796e2d9caeb36f

There's probably more:

http://groups.google.com/group/mozilla.dev.security/search?group=mozilla.dev.security&q=meta&qt_g=Search+this+group



- Bil 


_______________________________________________
dev-security mailing list
[email protected]
https://lists.mozilla.org/listinfo/dev-security






















					Reply via email to