- From: Anne van Kesteren <annevk@annevk.nl>
- Date: Thu, 23 Jan 2014 16:36:13 -0800
- To: Boris Zbarsky <bzbarsky@mit.edu>
- Cc: WebAppSec WG <public-webappsec@w3.org>
On Mon, Sep 30, 2013 at 11:01 AM, Boris Zbarsky <bzbarsky@mit.edu> wrote: > On 9/30/13 1:02 PM, Anne van Kesteren wrote: >> Alex pushed back on merging CSP and Fetch, arguing the Fetch layer >> should know nothing about the document. This seems reasonable. > > Maybe. > > The "Fetch layer" (somewhat broadly defined) needs to know various > meta-information about the document in practice for all sorts of reasons. > Off the top of my head, HTTP 401 handling often needs to show UI attached to > the relevant document, for example. > > The interesting question is what the right set of meta-information is, of > course. A priori, there's nothing that says "the CSP policy" couldn't be in > this set... > >> Image loading knows something about the document, but that could be >> done pre-network layer I suppose. > > Sort of needs to be: the image loading parts that need to know about the > document need to run sync from the point of view of the webpage. :( > >> I still think we need a "high-level" entry point for people defining >> end points so they don't forget about CSP. So instead of invoking >> "fetch" directly at the specification level they'd invoke "document >> fetch" maybe? > > That seems like "fetch" in all but name to me. I got Alex to agree to this. When I find time again I will start on integrating CSP into Fetch. From what I heard we also need hooks in ECMAScript, setTimeout, and others for CSP. -- http://annevankesteren.nl/
Received on Friday, 24 January 2014 00:36:40 UTC