Beacon and CSP from Ian Melven on 2014-01-15 (public-webappsec@w3.org from January 2014)

From: Ian Melven <ian.melven@gmail.com>
Date: Wed, 15 Jan 2014 10:16:39 -0800
To: "public-webappsec@w3.org" <public-webappsec@w3.org>
Message-ID: <CA+0m=Feq4Ob6xTS=eSW9d2z5D7kUM4KcG_JTQq9RjpoCb=ytzQ@mail.gmail.com>

Hi,

i was wondering if those on the list have opinions on the interaction
between the recently proposed
W3C Beacon spec (
https://dvcs.w3.org/hg/webperf/raw-file/tip/specs/Beacon/Overview.html) and
CSP

The navigator.sendBeacon API makes a same-origin or cross-origin (with the
requisite CORS check) POST request
asynchronously. It can send arbitrary data in the form of
an ArrayBufferView, Blob, DOMString, or FormData
(possibly subject to encoding/conversion).

Should this POST request be possibly restricted by CSP and if so which
directive would apply ? I would
propose "yes, CSP should apply, using connect-src" as a strawman. I know
others may disagree, see
https://bugzilla.mozilla.org/show_bug.cgi?id=936340#c17 for some examples :)

thank you for your thoughts and consideration.

ian

Received on Wednesday, 15 January 2014 18:17:06 UTC