CSP: Allow <meta> to tighten existing policy.

w3c · Jun 11, 2014 · f697c40 · f697c40
1 parent aeeff02
commit f697c40
Show file tree

Hide file tree

Showing 2 changed files with 26 additions and 24 deletions.
diff --git a/specs/content-security-policy/index.html b/specs/content-security-policy/index.html
@@ -91,7 +91,7 @@
 </p>
   <h1 class="p-name no-ref" id=title>Content Security Policy</h1>
   <h2 class="no-num no-toc no-ref heading settled heading" id=subtitle><span class=content>Editor’s Draft,
-    <span class=dt-updated><span class=value-title title=20140607>7 June 2014</span></span></span></h2>
+    <span class=dt-updated><span class=value-title title=20140611>11 June 2014</span></span></span></h2>
   <div data-fill-with=spec-metadata><dl><dt>This version:<dd><a class=u-url href=https://w3c.github.io/webappsec/specs/content-security-policy/>https://w3c.github.io/webappsec/specs/content-security-policy/</a><dt>Latest version:<dd><a href=http://www.w3c.org/TR/CSP/>http://www.w3c.org/TR/CSP/</a><dt>Editor’s Draft:<dd><a href=https://w3c.github.io/webappsec/specs/content-security-policy/>https://w3c.github.io/webappsec/specs/content-security-policy/</a>
     <dt>Feedback:</dt>
         <dd><a href="mailto:public-webappsec@w3.org?subject=%5BCSP%5D%20feedback">public-webappsec@w3.org</a>
@@ -529,9 +529,6 @@ <h3 class="heading settled heading" data-level=3.3 id=delivery-html-meta-element
       </dt>
       <dd>
         <ol>
-          <li>If the user agent is already enforcing a <a data-link-type=dfn href=#security-policy title=policy>policy</a> for the
-          document, abort these steps.</li>
-
           <li>If the Document’s <code><a data-link-type=element href=http://www.w3.org/html/wg/drafts/html/CR/document-metadata.html#the-head-element title=head>head</a></code> element is
           not an ancestor of the <code><a data-link-type=element href=http://www.w3.org/html/wg/drafts/html/CR/document-metadata.html#meta title=meta>meta</a></code> element, abort
           these steps.</li>
@@ -557,18 +554,22 @@ <h3 class="heading settled heading" data-level=3.3 id=delivery-html-meta-element
       </dd>
     </dl>
 
-<p>As a consequence of these requirements, a policy supplied in an
-    HTTP header field takes precedence over policies supplied in
-    <code><a data-link-type=element href=http://www.w3.org/html/wg/drafts/html/CR/document-metadata.html#meta title=meta>meta</a></code> elements. Similarly, the above
-    requirements entail that the first <code><a data-link-type=element href=http://www.w3.org/html/wg/drafts/html/CR/document-metadata.html#meta title=meta>meta</a></code>
-    element containing a policy takes precedence over policies supplied
-    in subsequent <code><a data-link-type=element href=http://www.w3.org/html/wg/drafts/html/CR/document-metadata.html#meta title=meta>meta</a></code> elements, and that
-    modifications to the <code><a data-link-type=element-attr href=http://www.w3.org/html/wg/drafts/html/CR/document-metadata.html#attr-meta-content title=content>content</a></code> attribute
-    after it is parsed will be ignored. Authors SHOULD place the
+<p>Authors are <em>strongly encouraged</em> to place the
     <code><a data-link-type=element href=http://www.w3.org/html/wg/drafts/html/CR/document-metadata.html#meta title=meta>meta</a></code> element as early in the document as
     possible to reduce the risk of content injection before a protective
     policy can be read and enforced.</p>
 
+<p class=note>Note: A <a data-link-type=dfn href=#security-policy title=policy>policy</a> specified via a <code><a data-link-type=element href=http://www.w3.org/html/wg/drafts/html/CR/document-metadata.html#meta title=meta>meta</a></code>
+    element will be enforced along with any other policies active for the
+    protected resource, regardless of where they’re specified. The general
+    mechanism for determining the effect of enforcing multiple policies is
+    detailed in the <a data-section="" href=#enforcing-multiple-policies>Enforcing multiple policies.</a>
+    section.</p>
+
+<p class=note>Note: Modifications to the <code><a data-link-type=element-attr href=http://www.w3.org/html/wg/drafts/html/CR/document-metadata.html#attr-meta-content title=content>content</a></code>
+    attribute of a <code><a data-link-type=element href=http://www.w3.org/html/wg/drafts/html/CR/document-metadata.html#meta title=meta>meta</a></code> element after the
+    element has been parsed will be ignored.</p>
+
 <p class=note>Note: The <code><a data-link-type=dfn href=#content-security-policy-report-only title=content-security-policy-report-only>Content-Security-Policy-Report-Only</a></code>
     header is <em>not</em> supported inside a <code><a data-link-type=element href=http://www.w3.org/html/wg/drafts/html/CR/document-metadata.html#meta title=meta>meta</a></code>
     element.</p>

diff --git a/specs/content-security-policy/index.src.html b/specs/content-security-policy/index.src.html
@@ -289,9 +289,6 @@ <h3 id="delivery-html-meta-element">
       </dt>
       <dd>
         <ol>
-          <li>If the user agent is already enforcing a <a>policy</a> for the
-          document, abort these steps.</li>
-
           <li>If the Document's <code><a element>head</a></code> element is
           not an ancestor of the <code><a element>meta</a></code> element, abort
           these steps.</li>
@@ -316,19 +313,23 @@ <h3 id="delivery-html-meta-element">
         </ol>
       </dd>
     </dl>
-
-    As a consequence of these requirements, a policy supplied in an
-    HTTP header field takes precedence over policies supplied in
-    <code><a element>meta</a></code> elements. Similarly, the above
-    requirements entail that the first <code><a element>meta</a></code>
-    element containing a policy takes precedence over policies supplied
-    in subsequent <code><a element>meta</a></code> elements, and that
-    modifications to the <code><a element-attr>content</a></code> attribute
-    after it is parsed will be ignored. Authors SHOULD place the
+
+    Authors are <em>strongly encouraged</em> to place the
     <code><a element>meta</a></code> element as early in the document as
     possible to reduce the risk of content injection before a protective
     policy can be read and enforced.
 
+    Note: A <a>policy</a> specified via a <code><a element>meta</a></code>
+    element will be enforced along with any other policies active for the
+    protected resource, regardless of where they're specified. The general
+    mechanism for determining the effect of enforcing multiple policies is
+    detailed in the <a section href="#enforcing-multiple-policies"></a>
+    section.
+
+    Note: Modifications to the <code><a element-attr>content</a></code>
+    attribute of a <code><a element>meta</a></code> element after the
+    element has been parsed will be ignored.
+
     Note: The <code><a>Content-Security-Policy-Report-Only</a></code>
     header is <em>not</em> supported inside a <code><a element>meta</a></code>
     element.