From 8b3a4abd4aadac55ddd31c37568c963dd70f5e17 Mon Sep 17 00:00:00 2001 From: Noam Rosenthal Date: Tue, 8 Mar 2022 16:51:34 +0200 Subject: [PATCH] Add note about late CSP Closes #7686 --- source | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/source b/source index 136e3eff661..bbea802f268 100644 --- a/source +++ b/source @@ -15404,6 +15404,14 @@ people expect to have work and what is necessary. data-x="attr-meta-content">content attribute will be enforced upon the current document.

+

At the time of inserting the meta element to the document, it is + possible that some resources have already been fetched. For example, images might be stored in + the list of available images prior to dynamically inserting a meta + element with a Content security + policy state. Resources that have already been fetched are not guaranteed to be + protected by a Content Security Policy that's + enforced late.

+

A page might choose to mitigate the risk of cross-site scripting attacks by preventing the