Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Is multiline meta content value allowed?

I am using the meta http-equiv="Content-Security-Policy" tag to whitelist domains. The list is getting quite big so I was wondering is it ok to use new lines in the content value?

<meta http-equiv="Content-Security-Policy" content="
   default-src 'self' http://example.com;
   style-src 'self' 'unsafe-inline' http://example.com;
   script-src 'self' 'unsafe-inline' http://example.com;
">

EDIT: just found that validator.w3.org shows error on multiline content value, so I guess it's not allowed.

like image 375
untitled Avatar asked Sep 02 '15 17:09

untitled


People also ask

How do I display text on multiple lines in HTML?

To create a multi-line text input, use the HTML <textarea> tag. You can set the size of a text area using the cols and rows attributes. It is used within a form, to allow users to input text over multiple rows.

What is meta content attribute?

The <meta> content Attribute in HTML is used to given the values that are related to the http-equiv or name attribute. The content attribute can associated with the <meta> element. Syntax: <meta content="text"> Attribute Values: It contains single value text which is used to specify the content of the meta information.

What is a meta content?

Metadata is data (information) about data. <meta> tags always go inside the <head> element, and are typically used to specify character set, page description, keywords, author of the document, and viewport settings. Metadata will not be displayed on the page, but is machine parsable.


1 Answers

Maintainer of the W3C HTML Checker (aka validator) here. The HTML checker doesn’t report errors for multi-line content values. The error that it reports for your example above is this:

Bad value Content-Security-Policy for attribute http-equiv on element meta

That is, the error is for the http-equiv attribute, not for the content attribute.

But try changing your source to this:

<meta name="Content-Security-Policy" content="
   default-src 'self' http://example.com;
   style-src 'self' 'unsafe-inline' http://example.com;
   script-src 'self' 'unsafe-inline' http://example.com;
">

…and you’ll see that it reports no error for that.

So, the error you’re seeing is because: If the meta element has a http-equiv attribute, then according to the HTML spec the value of the http-equiv must be one of the following:

  • content-type
  • default-style
  • refresh
  • X-UA-Compatible

So the HTML spec doesn’t (yet) allow http-equiv="Content-Security-Policy".

All that said, this is a bug in the W3C HTML checker, because the checker should support http-equiv="Content-Security-Policy, following the details provided about http-equiv="Content-Security-Policy in the Content Security Policy spec.

So I raised a checker bug for it just now.

This is basically also a bug in the HTML spec, because at this point the HTML spec itself should also say that http-equiv="Content-Security-Policy" is allowed. So I’ve raised a bug against the HTML spec for this to add http-equiv="Content-Security-Policy" to the Pragma directives section of the HTML spec that I cited above, and a patch for that’ll likely be getting merged into the spec later this week.

like image 102
sideshowbarker Avatar answered Sep 20 '22 10:09

sideshowbarker