I am using the meta http-equiv="Content-Security-Policy"
tag to whitelist domains. The list is getting quite big so I was wondering is it ok to use new lines in the content
value?
<meta http-equiv="Content-Security-Policy" content="
default-src 'self' http://example.com;
style-src 'self' 'unsafe-inline' http://example.com;
script-src 'self' 'unsafe-inline' http://example.com;
">
EDIT: just found that validator.w3.org
shows error on multiline content
value, so I guess it's not allowed.
To create a multi-line text input, use the HTML <textarea> tag. You can set the size of a text area using the cols and rows attributes. It is used within a form, to allow users to input text over multiple rows.
The <meta> content Attribute in HTML is used to given the values that are related to the http-equiv or name attribute. The content attribute can associated with the <meta> element. Syntax: <meta content="text"> Attribute Values: It contains single value text which is used to specify the content of the meta information.
Metadata is data (information) about data. <meta> tags always go inside the <head> element, and are typically used to specify character set, page description, keywords, author of the document, and viewport settings. Metadata will not be displayed on the page, but is machine parsable.
Maintainer of the W3C HTML Checker (aka validator) here. The HTML checker doesn’t report errors for multi-line content
values. The error that it reports for your example above is this:
Bad value Content-Security-Policy for attribute http-equiv on element meta
That is, the error is for the http-equiv
attribute, not for the content
attribute.
But try changing your source to this:
<meta name="Content-Security-Policy" content="
default-src 'self' http://example.com;
style-src 'self' 'unsafe-inline' http://example.com;
script-src 'self' 'unsafe-inline' http://example.com;
">
…and you’ll see that it reports no error for that.
So, the error you’re seeing is because: If the meta
element has a http-equiv
attribute, then according to the HTML spec the value of the http-equiv
must be one of the following:
content-type
default-style
refresh
X-UA-Compatible
So the HTML spec doesn’t (yet) allow http-equiv="Content-Security-Policy"
.
All that said, this is a bug in the W3C HTML checker, because the checker should support http-equiv="Content-Security-Policy
, following the details provided about http-equiv="Content-Security-Policy
in the Content Security Policy spec.
So I raised a checker bug for it just now.
This is basically also a bug in the HTML spec, because at this point the HTML spec itself should also say that http-equiv="Content-Security-Policy"
is allowed. So I’ve raised a bug against the HTML spec for this to add http-equiv="Content-Security-Policy"
to the Pragma directives section of the HTML spec that I cited above, and a patch for that’ll likely be getting merged into the spec later this week.
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With