[fetch] CSP Request Header and CORS preflight fetch. (#52) from Tsuyoshi Horo on 2015-05-15 (public-webapps-github@w3.org from May 2015)

From: Tsuyoshi Horo <notifications@github.com>
Date: Thu, 14 May 2015 22:20:10 -0700
To: whatwg/fetch <fetch@noreply.github.com>
Message-ID: <whatwg/fetch/issues/52@github.com>

According to the CSP spec
https://w3c.github.io/webappsec/specs/content-security-policy/#csp-request-header
> If the user agent monitors or enforces a policy that contains a directive that contains a source list, then the user agent MUST set a CSP Request Header when requesting cross-origin resources, as described in §3.4 The CSP HTTP Request Header.

But "CSP" is not a simple header
https://fetch.spec.whatwg.org/#simple-header
> A simple header is a header whose name is either one of `Accept`, `Accept-Language`, and `Content-Language`, or whose name is `Content-Type` and value, once parsed, has a MIME type (ignoring parameters) that is one of `application/x-www-form-urlencoded`, `multipart/form-data`, and `text/plain`.

So when the user agent requests a cross-origin resource which CSP is set, it must send a CORS preflight fetch.

This means when we use CSP, we can't use CDN which doesn't support CORS preflight.

Is this my understanding correct?


---
Reply to this email directly or view it on GitHub:
https://github.com/whatwg/fetch/issues/52

Received on Friday, 15 May 2015 05:20:50 UTC