On Sun, May 18, 2014 at 3:00 PM, Anne van Kesteren <annevk@annevk.nl> wrote: > (Mike, see end.) > Thanks for looping me in. What about CSP? Should we introduce a "ping" request context for <a > ping> and sendBeacon()? And a ping-src directive or some such maybe. > I don't _think_ we need a new directive, but I'm happy to be convinced otherwise. The Blink implementation is using 'connect-src'. We had a quick thread on public-webappsec@ a few months back, and were waffling between 'connect-src' and 'form-action'. I'm good either way. I'll make sure to add Beacon to the CSP spec, but it would be good to note that it's covered by a CSP directive somewhere in the Beacon spec. -mike -- Mike West <mkwst@google.com> Google+: https://mkw.st/+, Twitter: @mikewest, Cell: +49 162 10 255 91 Google Germany GmbH, Dienerstrasse 12, 80331 München, Germany Registergericht und -nummer: Hamburg, HRB 86891 Sitz der Gesellschaft: Hamburg Geschäftsführer: Graham Law, Christine Elizabeth Flores (Sorry; I'm legally required to add this exciting detail to emails. Bleh.)
Received on Sunday, 18 May 2014 17:04:39 UTC