diff --git a/source b/source index 6d8c47aa991..99240e590d6 100644 --- a/source +++ b/source @@ -15468,6 +15468,14 @@ people expect to have work and what is necessary. data-x="attr-meta-content">content attribute will be enforced upon the current document.
+At the time of inserting the meta
element to the document, it is
+ possible that some resources have already been fetched. For example, images might be stored in
+ the list of available images prior to dynamically inserting a meta
+ element with an http-equiv
attribute in the Content security policy state.
+ Resources that have already been fetched are not guaranteed to be blocked by a Content
+ Security Policy that's enforced late.
A page might choose to mitigate the risk of cross-site scripting attacks by preventing the