W3C home > Mailing lists > Public > public-webappsec@w3.org > January 2014

Re: CSP and Fetch

From: Anne van Kesteren <annevk@annevk.nl>
Date: Thu, 23 Jan 2014 16:36:13 -0800
Message-ID: <CADnb78ijXu=DicVP7C4iM+z5oGm=9Cf3f4EzCA=+syUNee6xwQ@mail.gmail.com>
To: Boris Zbarsky <bzbarsky@mit.edu>
Cc: WebAppSec WG <public-webappsec@w3.org>
On Mon, Sep 30, 2013 at 11:01 AM, Boris Zbarsky <bzbarsky@mit.edu> wrote:
> On 9/30/13 1:02 PM, Anne van Kesteren wrote:
>> Alex pushed back on merging CSP and Fetch, arguing the Fetch layer
>> should know nothing about the document. This seems reasonable.
>
> Maybe.
>
> The "Fetch layer" (somewhat broadly defined) needs to know various
> meta-information about the document in practice for all sorts of reasons.
> Off the top of my head, HTTP 401 handling often needs to show UI attached to
> the relevant document, for example.
>
> The interesting question is what the right set of meta-information is, of
> course.  A priori, there's nothing that says "the CSP policy" couldn't be in
> this set...
>
>> Image loading knows something about the document, but that could be
>> done pre-network layer I suppose.
>
> Sort of needs to be: the image loading parts that need to know about the
> document need to run sync from the point of view of the webpage.  :(
>
>> I still think we need a "high-level" entry point for people defining
>> end points so they don't forget about CSP. So instead of invoking
>> "fetch" directly at the specification level they'd invoke "document
>> fetch" maybe?
>
> That seems like "fetch" in all but name to me.

I got Alex to agree to this. When I find time again I will start on
integrating CSP into Fetch. From what I heard we also need hooks in
ECMAScript, setTimeout, and others for CSP.


-- 
http://annevankesteren.nl/
Received on Friday, 24 January 2014 00:36:40 UTC

This archive was generated by hypermail 2.3.1 : Friday, 24 January 2014 00:36:41 UTC