Skip to content
Permalink
Browse files

No CSP report-uri|frame-ancestors|sandbox in meta

Add a normative document-conformance (authoring) requirement that a Content
Security Policy given in the value of the `content` attribute of a
meta[http-equiv="content-security-policy] element must not contain any
`report-uri`, `frame-ancestors`, or `sandbox` directives.
  • Loading branch information...
sideshowbarker authored and annevk committed Jan 17, 2016
1 parent 59d9ae1 commit 39470724136a366bab4e893efd889a513d61cc3e
Showing with 6 additions and 2 deletions.
  1. +6 −2 source
8 source
attribute in the <span data-x="attr-meta-http-equiv-content-security-policy">Content security
policy state</span>, the <code data-x="attr-meta-content">content</code> attribute must have a
value consisting of a <span data-x="Content Security Policy syntax">valid Content Security
Policy</span>, which will be <span data-x="enforce the policy">enforced</span> upon the current
document. <ref spec="CSP"></p>
Policy</span>, but must not contain any <code data-x="report-uri directive">report-uri</code>,
<code data-x="frame-ancestors directive">frame-ancestors</code>, or <code data-x="sandbox
directive">sandbox</code> <span data-x="Content Security Policy directive">directives</span>.
The <span>Content Security Policy</span> given in the <code
data-x="attr-meta-content">content</code> attribute will be <span
data-x="enforce the policy">enforced</span> upon the current document. <ref spec="CSP"></p>

<div class="example">

0 comments on commit 3947072

Please sign in to comment.
You can’t perform that action at this time.