The <meta> tag got punted to CSP 1.1 in the working group.

As of <https://w3c.github.io/webappsec-csp/2/#delivery-html-meta-element (Editor’s Draft, 29 August 2015), we should only honor the CSP meta tag if it is a descendent of <head>.

<rdar://problem/25603538>

Created attachment 275893 [details] Patch and Layout Tests

Comment on attachment 275893 [details] Patch and Layout Tests View in context: https://bugs.webkit.org/attachment.cgi?id=275893&action=review r=me > Source/WebCore/dom/Document.h:829 > + // Handles a HTTP header equivalent set by a meta tag using <meta http-equiv="..." content="...">. This is called As long as your revising this, you might as well say "an HTTP header". > Source/WebCore/dom/Document.h:832 > + // specified in a HTML file. "an HTML file." > LayoutTests/ChangeLog:10 > + X-WebKit-CSP, and X-WebKit-CSP-Report-Only if it is not a descendent of <head>. I assume that there are already tests that CSP features in <head> descendants work?

(In reply to comment #5) > > Source/WebCore/dom/Document.h:829 > > + // Handles a HTTP header equivalent set by a meta tag using <meta http-equiv="..." content="...">. This is called > > As long as your revising this, you might as well say "an HTTP header". > Will fix before landing. > > Source/WebCore/dom/Document.h:832 > > + // specified in a HTML file. > > "an HTML file." > Will fix before landing. > > LayoutTests/ChangeLog:10 > > + X-WebKit-CSP, and X-WebKit-CSP-Report-Only if it is not a descendent of <head>. > > I assume that there are already tests that CSP features in <head> > descendants work? Yes, we have many such tests. One example of a such a test is <http://trac.webkit.org/browser/trunk/LayoutTests/http/tests/security/contentSecurityPolicy/inline-script-blocked.html?rev=133095>.

Committed r199163: <http://trac.webkit.org/changeset/199163>