Makes sense. If beacon can do more than form submissions, then it ought to hit `connect-src` rather than `form-action`. With regard to <form> changing behavior, can you give more detail about what plans are in the air? I haven't seen those threads. -- Mike West <mkwst@google.com> Google+: https://mkw.st/+, Twitter: @mikewest, Cell: +49 162 10 255 91 Google Germany GmbH, Dienerstrasse 12, 80331 München, Germany Registergericht und -nummer: Hamburg, HRB 86891 Sitz der Gesellschaft: Hamburg Geschäftsführer: Graham Law, Christine Elizabeth Flores (Sorry; I'm legally required to add this exciting detail to emails. Bleh.) On Fri, Jan 17, 2014 at 3:47 AM, Anne van Kesteren <annevk@annevk.nl> wrote: > On Fri, Jan 17, 2014 at 1:23 AM, Ian Melven <ian.melven@gmail.com> wrote: > > form-action seems like another reasonable suggestion since beacon can > > essentially do a form POST (except subject to CORS). > > If it triggers CORS, it can do more than <form>, no? > > What's CSP's story if we ever change <form> to be able to do more than > it can do now (and use CORS)? > > > > I think it adds too > > much complexity to try and do something like use a different directive > based > > on the type of data being sent. > > It seems Beacon should follow XMLHttpRequest, EventSource, and such... > > > -- > http://annevankesteren.nl/ >
Received on Wednesday, 29 January 2014 16:39:44 UTC