W3C home > Mailing lists > Public > public-webappsec@w3.org > April 2014

Re: CSP, Fetch, and Service Workers

From: Anne van Kesteren <annevk@annevk.nl>
Date: Wed, 23 Apr 2014 20:03:34 +0200
Message-ID: <CADnb78jt7iRfTQAXhN3mJBGsvbKT=7E841GeUY=7rGaujpOFfQ@mail.gmail.com>
To: WebAppSec WG <public-webappsec@w3.org>
Cc: Jake Archibald <jakearchibald@google.com>, Jungkee Song <jungkee.song@samsung.com>, Alex Russell <slightlyoff@google.com>, Dominic Cooney <dominicc@google.com>
On Thu, Feb 6, 2014 at 8:31 PM, Anne van Kesteren <annevk@annevk.nl> wrote:
> 1) What fetch contexts do we want to have? See
>
> * http://lists.w3.org/Archives/Public/public-webappsec/2013Jun/thread.html#msg27
> * http://wiki.whatwg.org/wiki/Contexts
> * https://github.com/slightlyoff/ServiceWorker/issues/140#issuecomment-33190003
>
> Basically, fetch contexts would represent some kind of union between
> CSP and other things that can cause fetches not governed by CSP and be
> slightly more low-level than the CSP primitives as to cater to other
> use cases.
>
> Do people here have opinions on the names we use?

I put something in Fetch now:
http://fetch.spec.whatwg.org/#concept-request-client

CSP can then define that a policy belongs to a global environment. And
that policy has a check algorithm, which given a URL and a context,
returns either yay or nay. Does that make sense?

Fetch will invoke that algorithm before any request (indeed including
before a redirect).

I still think we should change returning a 400 to returning a network error.


-- 
http://annevankesteren.nl/
Received on Wednesday, 23 April 2014 18:04:02 UTC

This archive was generated by hypermail 2.3.1 : Wednesday, 23 April 2014 18:04:02 UTC