No probs I’ll look forward to testing the beta

Regards the meta tag, when http header is used the meta should be ignored IMHO. If the strict rules are followed as in the spec. like the meta follows the head tag then it will be fine.

1. The E4X trick is a good one. I have updated the spec to require that external scripts be served with a valid MIME type for JavaScript. Great catch!

2. With regard to “no code from strings”, Wladimir’s post pretty much covers it. eval provides too much rope for developers to hang themselves with, so CSP turns it off by default. Of course, sites that absolutely need to use those APIs can turn this restriction off.

3. Regarding <meta> policy, I think you and Wladimir raised all the relevant points. There’s no specific security risk that an injected <meta> policy introduces, but it could cause bustage for the page. In fact Sid, one of the developers implementing CSP, has proposed removing it from the design:
http://blog.sidstamm.com/2009/06/csp-with-or-without-meta.html
I don’t feel strongly in favor of keeping it, but I do know that some users aren’t able to set HTTP headers in their environment. This is a risk vs. reward that will have to be considered.

Thanks again for the great feedback and I can’t wait to see what you’ll produce when you get a nightly build in your hands with a working implementation!

I don’t understand your point, I’ve not implemented eval or unescape yet

hxxp://wxx.colcohist-gensoc.org/mysql/onename.php

If you can only make the policy stricter this is still no good because you are giving the attacker control over the page. Should an attacker be able to remove the eval function from a page? Or maybe disable images from an external site, yeah it’s not as serious as modifying the policy by adding it but it is still an issue IMHO.

I think the more sensible option would be for the http header to take priority when used and ignore an attacker supplied meta tag