CSP declaration in meta tag ignored

[impca]

Using latest docker image of Sitespeed (sitespeedio/sitespeed.io:latest), Coach attempts to detect CSP headers (https://github.com/sitespeedio/coach/pull/315), but CSP declarations in the html source are ignored.

How to check? Create a page with CSP specified in a meta tag ( https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy#Examples ):

<!doctype html>
<html lang="en">
    <head>
        <meta http-equiv="Content-Security-Policy" content="script-src 'unsafe-inline' 'self' *.domain.com;">
    </head>
    <body>
...

Then run Sitespeed and you'll still get the advice: Use a good Content-Security-Policy header to make sure you you avoid Cross Site Scripting (XSS) attacks. (contentSecurityPolicyHeader)

[soulgalore]

Hi @impca aha I guess then we only check the headers. Any change you have time to do a PR to fix it? I can try to guide you?

Best Peter

[ondras]

Hi @soulgalore ,

I would like to add that HTML <meta> tags can be used to supply many more HTTP response headers. Some do not even use the http-equiv attribute:

<meta name="referrer" content="origin">

(this is a correct way to supply a referrer policy; also probably not detected by the Coach)

[soulgalore]

Cool @ondras let me know if you have time to do a PR to fix that where it's applicable!