9

At 3. CSP Policy Delivery it says

The Content-Security-Policy HTTP response header field is the preferred mechanism for delivering a policy

But there are two valid mechanisms, delivery via an HTTP header, and delivery via a HTML meta element:

<meta http-equiv="Content-Security-Policy" content="..."/>

Why is delivery via a header "preferred", or perhaps more importantly, what are the disadvantages of delivery via an HTML meta tag?

For various reasons, in our deployment, adding CSP to the HTML head is simpler to manage.

unor
  • 92,415
  • 26
  • 211
  • 360
Marvin
  • 2,537
  • 24
  • 35
  • https://stackoverflow.com/questions/42444106/where-should-you-configure-content-security-policy is related, but doesn't address this question. – Marvin May 06 '19 at 15:22
  • And, continuing to comment on my own question, I realize that the http-equiv meta tag should appear first in the header, since it only applies to elements that follow it (so perhaps that is one reason to "prefer" a http header...) – Marvin May 06 '19 at 15:28
  • 1
    That and the limitations of the meta tag as per the note. "The Content-Security-Policy-Report-Only header is not supported inside a meta element. Neither are the report-uri, frame-ancestors, and sandbox directives." – Alohci May 06 '19 at 18:06
  • What @Alohci said. But if using the meta element instead of the HTTP header works for you without any observable problems and is as you say easier to manage in your deployment, then there’s no advantage for you to using the HTTP header instead. Specifically if you’re not also using the Content-Security-Policy-Report-Only header and not using the report-uri, frame-ancestors, or sandbox directives, then it’s fine to just specify the meta element in each document instead of using the HTTP header. – sideshowbarker May 07 '19 at 02:49
  • @Alohci, if you post your comment as an answer, I'll accept it since it seems appropriate. – Marvin May 09 '19 at 13:23

2 Answers2

9

It seems that this question has been already answered in the comments, but nobody has a couple of minutes to write a response, so I'll try it myself.

Content-Security-Policy delivery through HTTP response supports some extra features compared to delivery via a HTML meta element, such as Content-Security-Policy-Report-Only and report-uri, frame-ancestors, and sandbox directives.

However, if you don't need to use any of these features, there’s no advantage to using the HTTP header.

Note that when using the HMTL way, http-equiv meta tag should appear first in the header, since it only applies to elements that follow it.

Marvin
  • 2,537
  • 24
  • 35
Pablo EM
  • 6,190
  • 3
  • 29
  • 37
4

In large organisations, the people responsible for setting up CSP are not the same as those responsible for web page content. When multiple policies apply, they must all be enforced. A developper (via meta) cannot relax a policy established by a system administrator (via http response). The security burden is shifted fom all developpers to a limited group of administrators.

cquezel
  • 3,859
  • 1
  • 30
  • 32
  • Where I work it's not shifted at all, but actually aggravated by having more people that have to be in the know-how and having more communication lag. I mean, if something doesn't work, it won't be the administrator who'll catch it. It will be a developer, who will have then to go to the administrator for a fix. – iwat0qs Aug 23 '23 at 10:59