On Tue, 13 Aug 2002, Roy T. Fielding wrote: > Someone could try adding the meta tag to the HTML output instead of > on the content-type, but then they would have to check to see if this > still reduces the cross-site scripting problems that Marc found earlier.
My recollection (I would have to check my notes to be sure) is that it is not sufficient to put it as a meta tag to attempt to protect from charset related cross site scripting attacks because it can be overidden. In fact, the exact browser bug that this thread is trying to work around (redirect with an explicit encoding in the HTTP headers results in that encoding being used for the target of the redirect instead of anything specified in a meta tag in that document) is one good example of why setting it in the meta tag ourself wouldn't be sufficient to avoid charset related cross site scripting attacks on browsers with this bug... since the attacker site could just set one in their HTTP headers.
