Skip to content

Commit

Permalink
Add a note about late CSP
Browse files Browse the repository at this point in the history
Closes #7686.
  • Loading branch information
noamr authored Mar 17, 2022
1 parent 8a41720 commit 332b8b8
Showing 1 changed file with 8 additions and 0 deletions.
8 changes: 8 additions & 0 deletions source
Original file line number Diff line number Diff line change
Expand Up @@ -15468,6 +15468,14 @@ people expect to have work and what is necessary.
data-x="attr-meta-content">content</code> attribute will be <span
data-x="enforce the policy">enforced</span> upon the current document. <ref spec=CSP></p>

<p class="note">At the time of inserting the <code>meta</code> element to the document, it is
possible that some resources have already been fetched. For example, images might be stored in
the <span>list of available images</span> prior to dynamically inserting a <code>meta</code>
element with an <code data-x="attr-meta-http-equiv">http-equiv</code> attribute in the <span
data-x="attr-meta-http-equiv-content-security-policy">Content security policy state</span>.
Resources that have already been fetched are not guaranteed to be blocked by a <span>Content
Security Policy</span> that's <span data-x="enforce the policy">enforced</span> late.</p>

<div class="example">

<p>A page might choose to mitigate the risk of cross-site scripting attacks by preventing the
Expand Down

0 comments on commit 332b8b8

Please sign in to comment.