W3C home > Mailing lists > Public > public-webappsec@w3.org > January 2014

Re: Beacon and CSP

From: Anne van Kesteren <annevk@annevk.nl>
Date: Fri, 17 Jan 2014 12:47:44 +0100
Message-ID: <CADnb78hg-qjT0AF1gb4jr4jkOW2Uv88ZviVoHdNrzVDWgLgXTA@mail.gmail.com>
To: Ian Melven <ian.melven@gmail.com>
Cc: Mike West <mkwst@google.com>, "public-webappsec@w3.org" <public-webappsec@w3.org>
On Fri, Jan 17, 2014 at 1:23 AM, Ian Melven <ian.melven@gmail.com> wrote:
> form-action seems like another reasonable suggestion since beacon can
> essentially do a form POST (except subject to CORS).

If it triggers CORS, it can do more than <form>, no?

What's CSP's story if we ever change <form> to be able to do more than
it can do now (and use CORS)?


> I think it adds too
> much complexity to try and do something like use a different directive based
> on the type of data being sent.

It seems Beacon should follow XMLHttpRequest, EventSource, and such...


-- 
http://annevankesteren.nl/
Received on Friday, 17 January 2014 11:48:11 UTC

This archive was generated by hypermail 2.3.1 : Friday, 17 January 2014 11:48:12 UTC