No CSP report-uri|frame-ancestors|sandbox in meta #523
+6
−2
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Member
Author
OK then, settled on this: attribute in the <span data-x="attr-meta-http-equiv-content-security-policy">Content security
policy state</span>, the <code data-x="attr-meta-content">content</code> attribute must have a
value consisting of a <span data-x="Content Security Policy syntax">valid Content Security
- Policy</span>, which will be <span data-x="enforce the policy">enforced</span> upon the current
- document. <ref spec="CSP"></p>
+ Policy</span>, but must not contain any <code data-x="report-uri directive">report-uri</code>,
+ <code data-x="frame-ancestors directive">frame-ancestors</code>, or <code data-x="sandbox
+ directive">sandbox</code> <span data-x="Content Security Policy directive">directives</span>.
+ The <span>Content Security Policy</span> given in the <code
+ data-x="attr-meta-content">content</code> attribute will be <span
+ data-x="enforce the policy">enforced</span> upon the current document. <ref spec="CSP"></p> |
Member
|
We are still waiting for @mikewest to review this? LGTM otherwise. |
Member
Author
Yeah—especially since it’s a normative change, don’t think it should be merged til he’s reviewed and OK’ed it. |
Member
|
LGTM, sorry for the delay. Note that I want to drop the restriction on |
Add a normative document-conformance (authoring) requirement that a Content Security Policy given in the value of the `content` attribute of a meta[http-equiv="content-security-policy] element must not contain any `report-uri`, `frame-ancestors`, or `sandbox` directives.
annevk
force-pushed
the
meta-csp-disallowed-directives
branch
from
9bb1782 to
3947072
Compare
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Add a normative document-conformance (authoring) requirement that a Content Security Policy given in the value of the
contentattribute of ameta[http-equiv=content-security-policy]element must not contain anyreport-uri,frame-ancestors, orsandboxdirectives.To help authors/developers avoid making the mistake of putting
report-uri,frame-ancestors, orsandboxdirectives inmeta—where UAs will just (silently) ignore them—the document-conformance (authoring) side of the spec’s CSP requirements should explicitly disallow those directives inmeta.Adding this to the spec also enables me to add a corresponding error message to the HTML checker.
cc @mikewest