Re: CSP: error handling from Hill, Brad on 2013-03-18 (public-webappsec@w3.org from March 2013)

From: Hill, Brad <bhill@paypal-inc.com>
Date: Mon, 18 Mar 2013 14:42:49 +0000
To: Mike West <mkwst@google.com>
CC: Anne van Kesteren <annevk@annevk.nl>, "dveditz@mozilla.com" <dveditz@mozilla.com>, Ian Melven <imelven@mozilla.com>, WebAppSec WG <public-webappsec@w3.org>
Message-ID: <AFCAE3A9-D532-40E9-A893-B278E1C8E5B0@paypal.com>

Will this cause retries, even though the intent is not to load the content?

Brad

On Mar 18, 2013, at 4:40 AM, "Mike West" <mkwst@google.com<mailto:mkwst@google.com>> wrote:

This seems like a reasonable change. Are there any objections to changing this language?

-mike

--
Mike West <mkwst@google.com<mailto:mkwst@google.com>>, Developer Advocate
Google Germany GmbH, Dienerstrasse 12, 80331 München, Germany
Google+: https://mkw.st/+, Twitter: @mikewest, Cell: +49 162 10 255 91


On Tue, Mar 12, 2013 at 1:12 PM, Anne van Kesteren <annevk@annevk.nl<mailto:annevk@annevk.nl>> wrote:
Rather than returning an empty HTTP 400 response, CSP should act as if
there was a network error. That would be much more consistent with
error handling we've used elsewhere in the platform. E.g. if CORS goes
wrong, you'll get a network error.

FWIW, http://html5.org/temp/fetch.html is the start of drafting the
fetching model the platform uses and I think once it's a bit more
mature we should start providing explicit hooks for CSP in it so the
whole model becomes tightly integrated and you don't have to look in
various places to see what actually happens when a resource is being
fetched.


--
http://annevankesteren.nl/

Received on Monday, 18 March 2013 14:43:24 UTC