DescriptionCSP: Measure whether we can treat '<meta http-refresh>' as inline script.
https://github.com/w3c/webappsec-csp/issues/112 notes that '<meta>' has
some script-like capabilities that aren't currently covered by CSP. This
patch adds metrics for usage of 'Set-Cookie' and 'Refresh' in documents
that block inline script. If it turns out that the intersection is low,
perhaps we can make this backwards-incompatible change.
R=jochen@chromium.org
Committed: https://crrev.com/d171843d5e59aea28a3d3845422b94a39c221143
Cr-Commit-Position: refs/heads/master@{#416261}
Patch Set 1 #Patch Set 2 : Ugh. #Patch Set 3 : Rebase+Histogram #
Messages
Total messages: 13 (7 generated)
|