From 332b8b8b187248524c0d2a655fd1334278cbf865 Mon Sep 17 00:00:00 2001 From: Noam Rosenthal Date: Thu, 17 Mar 2022 14:42:57 +0200 Subject: [PATCH] Add a note about late CSP Closes #7686. --- source | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/source b/source index 6d8c47aa991..99240e590d6 100644 --- a/source +++ b/source @@ -15468,6 +15468,14 @@ people expect to have work and what is necessary. data-x="attr-meta-content">content attribute will be enforced upon the current document.

+

At the time of inserting the meta element to the document, it is + possible that some resources have already been fetched. For example, images might be stored in + the list of available images prior to dynamically inserting a meta + element with an http-equiv attribute in the Content security policy state. + Resources that have already been fetched are not guaranteed to be blocked by a Content + Security Policy that's enforced late.

+

A page might choose to mitigate the risk of cross-site scripting attacks by preventing the