You do not have permission to delete messages in this group
Copy link
Report message
Sign in to report message
Show original message
Either email addresses are anonymous for this group or you need the view member email addresses permission to view the original message
to dev-platform
Meta tags provide equivalent behaviour to sending HTTP headers via the
“http-equiv” attribute.
Set-Cookie can be used to provide cookies to the user via this attribute:
<meta http-equiv="Set-Cookie" content="meta=tag">
However this behaviour isn’t restrictable via a Content Security Policy.
This gives an attacker the ability to change a users cookies via an XSS
exploit and also fixate session cookies.
Impact on the Web:
The HTML specification has removed this behaviour:
Chrome removed in version 65 and it appears Edge has implemented the
changes to land in the next release.
The usage of the feature is intermittent according to Chrome: “shows up on
~0.02% of pages, with intermittent spikes up to ~0.06%. Cloudflare's error
page seems like a reasonable explanation of this behavior”.