Hi,
I have a use case where I'd like to only allow a single script to execute in a web page I'm writing. The script in question can run in head. For complex reasons, I can't trust what is contained in the body of the document (i.e. it may contains scripts that I do not want to execute).
Dynamically inserting a CSP header from our script running in head works fine in practice (in Chrome at least). E.g. the following page does not execute the script in body, but lets the script in <head> run and install event handlers:
<html>
<head>
<script>
setInterval(() => console.log('running'), 1000);
document.write(`<meta http-equiv="Content-Security-Policy" content="script-src 'none'">`);
</script>
<body>
<script>
console.log("FAILURE this shouldn't execute");
</script>
</body>
</html>
Is my reading of the spec correct? I want to make sure I'm not relying on an implementation detail from Chrome (note that I don't care about other browsers at all, so I don't mind if they don't implement the spec correctly).
Thanks!