On Wed, Jan 29, 2014 at 8:42 PM, Hill, Brad <bhill@paypal.com> wrote: > One thing we discussed on the call today is that form-action is about > sending data away from the page, while connect-arc is about retrieving > content into the page. By that division, ping and beacon seem to fit > better under form-action. > I've added ping to CSP 1.1: https://github.com/w3c/webappsec/commit/f960b5d724799ca50f01abdb64e6180c063c1064 I'm not sure we agreed on the call that Beacon should fall into 'form-action'. In fact, I think we decided the opposite (that it should fall into 'connect-src'), as it's capable of more than forms are (CORS, et al). In any event, Beacon's status should probably be covered in the Beacon spec (or in a future Fetch integration). I don't think we need to address it specifically in CSP 1.1. -mike -- Mike West <mkwst@google.com> Google+: https://mkw.st/+, Twitter: @mikewest, Cell: +49 162 10 255 91 Google Germany GmbH, Dienerstrasse 12, 80331 München, Germany Registergericht und -nummer: Hamburg, HRB 86891 Sitz der Gesellschaft: Hamburg Geschäftsführer: Graham Law, Christine Elizabeth Flores (Sorry; I'm legally required to add this exciting detail to emails. Bleh.)
Received on Friday, 7 February 2014 14:41:49 UTC