Axel Dahmen wrote on 2/28/2010 5:28 AM: > I've read through the CSP specs > (https://wiki.mozilla.org/Security/CSP/Spec#Source_Expression_List) and the > Talk (https://wiki.mozilla.org/Talk:Security/CSP/Spec)... > > What I'm missing is a statement about allowing CSP directives in HTML > <meta> > tags. > > Use case: > --------- > My provider just provides the ability to upload HTML and related content, > but they don't provide an option to manipulate the server's output to any > degree. So configuring HTTP response headers is not possible here. However, > I want to protect my web pages just like any other. So the only option I > would have to get CSP applied would be through using HTML <meta> tags.
CSP used to support <meta> policies, but was removed. You probably want to
read through these:
http://blog.sidstamm.com/2009/06/csp-with-or-without-meta.html
http://groups.google.com/group/mozilla.dev.security/browse_thread/thread/571f1495e6ccf822/cf15e2be59a72734?lnk=gst&q=meta#cf15e2be59a72734
http://groups.google.com/group/mozilla.dev.security/browse_thread/thread/c0f1a44e4fb98859/31465e3d46ccf806?lnk=gst&q=meta#31465e3d46ccf806
http://groups.google.com/group/mozilla.dev.security/browse_thread/thread/87ebe5cb9735d8ca/f9167000431aa6a4?lnk=gst&q=meta#f9167000431aa6a4
http://groups.google.com/group/mozilla.dev.security/browse_thread/thread/571f1495e6ccf822/5f75c00c023696bd?lnk=gst&q=meta#5f75c00c023696bd
http://groups.google.com/group/mozilla.dev.security/browse_thread/thread/87ebe5cb9735d8ca/87796e2d9caeb36f?lnk=gst&q=meta#87796e2d9caeb36f
There's probably more:
http://groups.google.com/group/mozilla.dev.security/search?group=mozilla.dev.security&q=meta&qt_g=Search+this+group
- Bil
_______________________________________________
dev-security mailing list
dev-security@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security
