Re: Beacon feedback

On Sun, May 18, 2014 at 7:03 PM, Mike West <mkwst@google.com> wrote:
> On Sun, May 18, 2014 at 3:00 PM, Anne van Kesteren <annevk@annevk.nl> wrote:
>> What about CSP? Should we introduce a "ping" request context for <a
>> ping> and sendBeacon()? And a ping-src directive or some such maybe.
>
> I don't _think_ we need a new directive, but I'm happy to be convinced
> otherwise. The Blink implementation is using 'connect-src'. We had a quick
> thread on public-webappsec@ a few months back, and were waffling between
> 'connect-src' and 'form-action'. I'm good either way.
>
> I'll make sure to add Beacon to the CSP spec, but it would be good to note
> that it's covered by a CSP directive somewhere in the Beacon spec.

I went with a new context "ping" (intended to cover both Beacon and <a
ping>) and added connect-src to the informative mapping table in
Fetch. Note that this context also requires the CSP to be long-lived.
It might even argue for including the policy with the fetch as there's
no guarantees when the fetch is made. (It could be after a browser
restart for instance.)


-- 
http://annevankesteren.nl/

Received on Sunday, 18 May 2014 17:13:59 UTC