Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Does the `meta http-equiv="Content-Security-Policy"` tag allow lists of policies? #5102

bakkot opened this issue Nov 22, 2019 · 1 comment


Copy link

@bakkot bakkot commented Nov 22, 2019

The html spec says that the content of an <meta http-equiv="Content-Security-Policy" content="..."> tag should be a serialized-policy and should be parsed according to Parse a serialized CSP.

This implies that it does not allow multiple comma-separated policies, such as img-src 'none', script-src 'sha256-lLvWePLrgCn07EcwYB0JPy65n3OloEYiWK34Ql9Zdmc='. That would be a serialized-csp-list, parsed according to Parse a serialized CSP list, which nothing I can find actually uses. (Also, that algorithm returns multiple policies, each of which would need to be enforced.)

However, both Chrome and Safari do allow policy lists such as the above. Firefox and the Nu HTML checker do not - Firefox attempts to parse it as a single policy including the ,, while the Nu HTML checker considers it an outright error.

As far as I can tell, the web platform tests do not cover this case.

Here is a simple page with the above comma-separated CSP, which contains both an image and an inline script with no hash. Its source is below.

Which is the intended behavior?

demo page source
<!DOCTYPE html>
  <meta charset="utf-8">
  <meta http-equiv="Content-Security-Policy" content="img-src 'none', script-src 'sha256-lLvWePLrgCn07EcwYB0JPy65n3OloEYiWK34Ql9Zdmc='">
<title>CSP test</title>
  <span id="title">If you can see this, the CSP violation event listener was prevented from executing.</span>
  <script nonce="example">
    document.getElementById('title').innerText = 'CSP directives violated:';
    let directives = new Set;
    document.addEventListener('securitypolicyviolation', function(e) {
      document.getElementById('violations').innerHTML = [...directives].map(v => '<li>' + v).join('');
  <ul id="violations"></ul>

  <img src="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAUAAAAFCAYAAACNbyblAAAAHElEQVQI12P4//8/w38GIAXDIBKE0DHxgljNBAAO9TXL0Y4OHwAAAABJRU5ErkJggg==" alt="a red dot">
  <script>console.log('a console log from an inline script')</script>

This comment has been minimized.

Copy link

@annevk annevk commented Nov 22, 2019

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
2 participants
You can’t perform that action at this time.