Search code examples
htmlmeta-tagsmultilinemetacontent-security-policy

Is multiline meta content value allowed?

I am using the meta http-equiv="Content-Security-Policy" tag to whitelist domains. The list is getting quite big so I was wondering is it ok to use new lines in the content value?

<meta http-equiv="Content-Security-Policy" content="
   default-src 'self' http://example.com;
   style-src 'self' 'unsafe-inline' http://example.com;
   script-src 'self' 'unsafe-inline' http://example.com;
">

EDIT: just found that validator.w3.org shows error on multiline content value, so I guess it's not allowed.

Solution

  • Maintainer of the W3C HTML Checker (aka validator) here. The HTML checker doesn’t report errors for multi-line content values. The error that it reports for your example above is this:

    Bad value Content-Security-Policy for attribute http-equiv on element meta

    That is, the error is for the http-equiv attribute, not for the content attribute.

    But try changing your source to this:

    <meta name="Content-Security-Policy" content="
   default-src 'self' http://example.com;
   style-src 'self' 'unsafe-inline' http://example.com;
   script-src 'self' 'unsafe-inline' http://example.com;
">

    …and you’ll see that it reports no error for that.

    So, the error you’re seeing is because: If the meta element has a http-equiv attribute, then according to the HTML spec the value of the http-equiv must be one of the following:

    • content-type
    • default-style
    • refresh
    • X-UA-Compatible

    So the HTML spec doesn’t (yet) allow http-equiv="Content-Security-Policy".

    All that said, this is a bug in the W3C HTML checker, because the checker should support http-equiv="Content-Security-Policy, following the details provided about http-equiv="Content-Security-Policy in the Content Security Policy spec.

    So I raised a checker bug for it just now.

    This is basically also a bug in the HTML spec, because at this point the HTML spec itself should also say that http-equiv="Content-Security-Policy" is allowed. So I’ve raised a bug against the HTML spec for this to add http-equiv="Content-Security-Policy" to the Pragma directives section of the HTML spec that I cited above, and a patch for that’ll likely be getting merged into the spec later this week.