ContentPerformancePolicy icon indicating copy to clipboard operation
ContentPerformancePolicy copied to clipboard
verified publisher icon WICG

Can policies be specified in a meta tag?

Open RByers opened this issue 10 years ago • 2 comments

Most CSP policies can be provided via either an HTTP header or an <meta http-equiv> tag. I assume either approach is fine here, right? Should the spec say this explicitly somewhere?

RByers avatar Feb 25 '16 01:02 RByers

Yeah, either approach is fine. I'm hoping to refer to the appropriate sections in CSP in order to "inherit" that language from it, as the behavior we need from it is similar. We want meta tags to be able to apply a stricter policy, but not relax it (e.g. we don't want a script running in the context of the main page to be able to turn off CPP)

yoavweiss avatar Feb 25 '16 07:02 yoavweiss

Makes sense, thanks.

RByers avatar Feb 25 '16 17:02 RByers