-
Notifications
You must be signed in to change notification settings - Fork 81
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Consider hiding content attribute of meta tag CSP #291
Comments
Sigh, I'd really rather we just move folks away from |
I also agree with you to some extent as the meta tag exposes information that could be misused but the use of meta tags is real and necessary as some site operators can deploy CSP only via meta tags. Moreover, I have also seen meta tag CSP proposed as a defense against misbehaving browser extensions that tamper with the header CSP (extensions can modify the response headers but they cannot modify the page content). |
I'm not enthusiastic about this, for a few reasons:
Can you help me understand the counter arguments? What attacks would this prevent? How helpful would it be? |
I think we've briefly covered this on another bug when discussing the nonce-hiding behavior from whatwg/html#2369. Basically, while this indeed allows the nonce to be exfiltrated from the
I'd agree with Mike that we wouldn't gain much if we did this; but there is probably at least some opportunity to better explain the current behavior in the spec. |
Thank you, all the comments here make sense. As @arturjanc suggests, it may be a good idea to document his points 2, and possibly 3, in the spec. Otherwise, I think we can close this issue. |
Similar to the attack suggested in whatwg/html#2369, an attacker may be able to extract the nonce from a Content-Security-Policy specified via meta tag. I believe the
content
attribute value typically has no purpose being visible to the DOM and so may very well be set to an empty string.If any other CSP meta tags (e.g., #277) become available in the future, they should also have their
content
values hidden.The text was updated successfully, but these errors were encountered: