Remove the <meta> element as a mechanism for sending the policy, as discussed
authorAdam Barth <w3c@adambarth.com>
Sun, 01 Apr 2012 16:06:35 -0700
changeset 9459ec5f6bac1a
parent 93 70b666a7fbec
child 95 91163bbd2daf
Remove the <meta> element as a mechanism for sending the policy, as discussed
on public-webappsec.
csp-specification.dev.html
     1.1 --- a/csp-specification.dev.html	Sat Mar 24 22:33:50 2012 -0700
     1.2 +++ b/csp-specification.dev.html	Sun Apr 01 16:06:35 2012 -0700
     1.3 @@ -133,11 +133,11 @@
     1.4        external scripts, because the user agent cannot determine whether an
     1.5        inline script was injected by an attacker.</p>
     1.6  
     1.7 -      <p>To take advantage of CSP, a web application opts into using
     1.8 -      CSP by supplying a <code>Content-Security-Policy</code> HTTP header or an
     1.9 -      appropriate HTML <code>meta</code> element. Such policies apply the current
    1.10 -      document only. To supply a policy for an entire site, the server need to
    1.11 -      supply a policy with each resource representation.</p>
    1.12 +      <p>To take advantage of CSP, a web application opts into using CSP by
    1.13 +      supplying a <code>Content-Security-Policy</code> HTTP header Such
    1.14 +      policies apply the current document only. To supply a policy for an
    1.15 +      entire site, the server need to supply a policy with each resource
    1.16 +      representation.</p>
    1.17      </section>
    1.18  
    1.19      <section id="conformance">
    1.20 @@ -231,15 +231,8 @@
    1.21        <section>
    1.22          <h3>Policy Delivery</h3>
    1.23  
    1.24 -        <p>The policy can be delivered from the server to the client via an
    1.25 -        HTTP response header or an HTML <code>meta</code> element.</p>
    1.26 -
    1.27 -        <p>Of the two delivery mechanisms, servers SHOULD use the HTTP
    1.28 -        response header mechanism whenever possible. When using the HTML
    1.29 -        <code>meta</code> element, there is a peroid of time between when
    1.30 -        the user agent begins processing the document and when the user
    1.31 -        agent processes the <code>meta</code> element when the document
    1.32 -        is not protected by the policy.</p>
    1.33 +        <p>The server delivers the policy to the user agent via an HTTP
    1.34 +        response header.</p>
    1.35  
    1.36          <section>
    1.37            <h4><code>Content-Security-Policy</code> Header Field</h4>
    1.38 @@ -299,59 +292,6 @@
    1.39            stricter policy.</p>
    1.40          </section>
    1.41  
    1.42 -        <section>
    1.43 -          <h4>HTML <code>meta</code> Element</h4>
    1.44 -
    1.45 -          <p>The server MAY supply a CSP policy in an HTML <code>meta</code>
    1.46 -          element with an <code>http-equiv</code> attribute that is a case
    1.47 -          insensitive match for either <code>Content-Security-Policy</code> or
    1.48 -          <code>Content-Security-Policy-Report-Only</code>.</p>
    1.49 -
    1.50 -          <p>Add the following entries to the <a
    1.51 -          href="http://www.w3.org/TR/html5/semantics.html#pragma-directives">pragma
    1.52 -          directives</a> for the <code>meta</code> element:</p>
    1.53 -
    1.54 -          <dl>
    1.55 -            <dt>Content security policy (<code>http-equiv="content-security-policy"</code>)</dt>
    1.56 -            <dd>
    1.57 -              <ol>
    1.58 -                <li>If the user agent is already enforcing a CSP policy for the
    1.59 -                document, abort these steps.</li>
    1.60 -
    1.61 -                <li>If the <code>meta</code> element lacks a
    1.62 -                <code>content</code> attribute, abort these steps.</li>
    1.63 -
    1.64 -                <li><a href="#enforce">Enforce</a> the CSP policy contained in
    1.65 -                the <code>content</code> attribute of the <code>meta</code>
    1.66 -                element.</li>
    1.67 -              </ol>
    1.68 -            </dd>
    1.69 -
    1.70 -            <dt>Content security policy, report only (<code>http-equiv="content-security-policy-report-only"</code>)</dt>
    1.71 -            <dd>
    1.72 -              <ol>
    1.73 -                <li>If the user agent is already monitoring a CSP policy for
    1.74 -                the document, abort these steps.</li>
    1.75 -
    1.76 -                <li>If the <code>meta</code> element lacks a
    1.77 -                <code>content</code> attribute, abort these steps.</li>
    1.78 -
    1.79 -                <li><a href="#monitor">Monitor</a> the CSP policy contained in
    1.80 -                the <code>content</code> attribute of the <code>meta</code>
    1.81 -                element.</li>
    1.82 -              </ol>
    1.83 -            </dd>
    1.84 -          </dl>
    1.85 -
    1.86 -          <p>As a consequence of these requirements, a policy supplied in an
    1.87 -          HTTP header field takes precedence over policies supplied in
    1.88 -          <code>meta</code> elements. Similarly, the above requirements entail
    1.89 -          that the first <code>meta</code> element containing a policy takes
    1.90 -          precedence over policies supplied in subsequent <code>meta</code>
    1.91 -          elements.</p>
    1.92 -        </section>
    1.93 -      </section>
    1.94 -
    1.95        <section>
    1.96          <h3>Syntax</h3>
    1.97