Re: CSP and Fetch from Anne van Kesteren on 2014-01-24 (public-webappsec@w3.org from January 2014)

From: Anne van Kesteren <annevk@annevk.nl>
Date: Fri, 24 Jan 2014 11:41:32 -0800
To: Mike West <mkwst@google.com>
Cc: Boris Zbarsky <bzbarsky@mit.edu>, WebAppSec WG <public-webappsec@w3.org>
Message-ID: <CADnb78j=zzga0jVUP1-=_1Zs_u2DjB-EfPUQ43M3m4o8craX0w@mail.gmail.com>

On Fri, Jan 24, 2014 at 1:47 AM, Mike West <mkwst@google.com> wrote:
> Great. What can we do to help?

I think I have to do the first step. My idea for the interface based
on discussion with Adam Barth a long time ago is that you pass the CSP
source and CSP policy to fetch. (You need to pass both since fetch has
no link with the document and the policy might change if we allow
programmatic access in the future.)

And then fetch invokes a "CSP check" with the appropriate data. CSP
check would be defined in CSP. If CSP check returns failure, fetch
returns a network error. Otherwise we carry along as before.


-- 
http://annevankesteren.nl/

Received on Friday, 24 January 2014 19:42:01 UTC