- From: Anne van Kesteren <annevk@annevk.nl>
- Date: Sun, 18 May 2014 19:13:31 +0200
- To: Mike West <mkwst@google.com>
- Cc: Arvind Jain <arvind@google.com>, Jonas Sicking <jonas@sicking.cc>, Jatinder Mann <jmann@microsoft.com>, "public-web-perf@w3.org" <public-web-perf@w3.org>
On Sun, May 18, 2014 at 7:03 PM, Mike West <mkwst@google.com> wrote: > On Sun, May 18, 2014 at 3:00 PM, Anne van Kesteren <annevk@annevk.nl> wrote: >> What about CSP? Should we introduce a "ping" request context for <a >> ping> and sendBeacon()? And a ping-src directive or some such maybe. > > I don't _think_ we need a new directive, but I'm happy to be convinced > otherwise. The Blink implementation is using 'connect-src'. We had a quick > thread on public-webappsec@ a few months back, and were waffling between > 'connect-src' and 'form-action'. I'm good either way. > > I'll make sure to add Beacon to the CSP spec, but it would be good to note > that it's covered by a CSP directive somewhere in the Beacon spec. I went with a new context "ping" (intended to cover both Beacon and <a ping>) and added connect-src to the informative mapping table in Fetch. Note that this context also requires the CSP to be long-lived. It might even argue for including the policy with the fetch as there's no guarantees when the fetch is made. (It could be after a browser restart for instance.) -- http://annevankesteren.nl/
Received on Sunday, 18 May 2014 17:13:59 UTC