- From: Adam Barth <w3c@adambarth.com>
- Date: Sun, 26 Jun 2011 13:59:38 -0700
- To: Brandon Sterne <bsterne@mozilla.com>
- Cc: "public-web-security@w3.org" <public-web-security@w3.org>
Would "connect" be subject to "default-src" ? It seems like it should, but it doesn't have "src" in the name... Adam On Tue, Jun 21, 2011 at 3:13 PM, Brandon Sterne <bsterne@mozilla.com> wrote: > Per previous discussions, I would like to broaden the scope of the > xhr-src directive and rename it to reflect the change. The tentative > proposal for the new directive name is "connect" and it would define the > list of sources that a page can connect to via DOM/JS APIs. To begin > with, this directive would cover: > > - XMLHttpRequest > - WebSocket > - EventSource > > Are there other APIs that belong in this bucket? > > On a related note, Adam has advocated including Worker in this new > category, but I believe we should add Worker under script-src since the > stated purpose of that API is to run script in the background and I > believe this will be "least surprising" to web developers. > > Would people support this change? > > Thanks, > Brandon > >
Received on Sunday, 26 June 2011 21:00:37 UTC