On 2/28/10 6:43 PM, Axel Dahmen wrote:
Actually I still can't find a fair reason for omitting the option of
allowing HTML meta tags to provide CSP directives.
* By means of the intersection algorithm, a meta CSP directive can
only tighten security but not loosen.
* Disallowing meta tags
I've read through the CSP specs
(https://wiki.mozilla.org/Security/CSP/Spec#Source_Expression_List) and the
Talk (https://wiki.mozilla.org/Talk:Security/CSP/Spec)...
What I'm missing is a statement about allowing CSP directives in HTML meta
tags.
Use case:
-
My provider just provides
This would also allow for testing local files against CSP directives.
---
Axel Dahmen keentok...@newsgroup.nospam schrieb im Newsbeitrag
news:q_gdneegtdzj7rfwnz2dnuvz_tidn...@mozilla.org...
I've read through the CSP specs
Axel Dahmen wrote on 2/28/2010 5:28 AM:
I've read through the CSP specs
(https://wiki.mozilla.org/Security/CSP/Spec#Source_Expression_List) and the
Talk (https://wiki.mozilla.org/Talk:Security/CSP/Spec)...
What I'm missing is a statement about allowing CSP directives in HTML
meta
tags.
Thanks, Bil, for enlightening me.
Actually I still can't find a fair reason for omitting the option of
allowing HTML meta tags to provide CSP directives.
* By means of the intersection algorithm, a meta CSP directive can only
tighten security but not loosen.
* Disallowing meta tags would