- From: Anne van Kesteren <annevk@annevk.nl>
- Date: Fri, 17 Jan 2014 12:47:44 +0100
- To: Ian Melven <ian.melven@gmail.com>
- Cc: Mike West <mkwst@google.com>, "public-webappsec@w3.org" <public-webappsec@w3.org>
On Fri, Jan 17, 2014 at 1:23 AM, Ian Melven <ian.melven@gmail.com> wrote: > form-action seems like another reasonable suggestion since beacon can > essentially do a form POST (except subject to CORS). If it triggers CORS, it can do more than <form>, no? What's CSP's story if we ever change <form> to be able to do more than it can do now (and use CORS)? > I think it adds too > much complexity to try and do something like use a different directive based > on the type of data being sent. It seems Beacon should follow XMLHttpRequest, EventSource, and such... -- http://annevankesteren.nl/
Received on Friday, 17 January 2014 11:48:11 UTC