Content-Security-Policy pragma directive on meta element does not set self origin on the new policy

### What is the issue with the HTML Standard?

Relates to: https://html.spec.whatwg.org/multipage/semantics.html#pragma-directives:attr-meta-http-equiv-keyword-content-security-policy

The policy's self origin is not set, which prevents the use of 'self' for policies created via meta elements. However, it is permissible to use 'self' here, for example with this WPT test: https://wpt.live/content-security-policy/connect-src/connect-src-beacon-blocked.sub.html

I believe there should be a step that states something along the lines of:
- Set policy's [self-origin](https://w3c.github.io/webappsec-csp/#policy-self-origin) to the [origin](https://html.spec.whatwg.org/multipage/browsing-the-web.html#navigation-params-origin) of the meta element's [node document](https://dom.spec.whatwg.org/#concept-node-document).

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Content-Security-Policy pragma directive on meta element does not set self origin on the new policy #11389

What is the issue with the HTML Standard?

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Content-Security-Policy pragma directive on meta element does not set self origin on the new policy #11389

Description

What is the issue with the HTML Standard?

Metadata

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Issue actions