- From: Mike West <notifications@github.com>
- Date: Thu, 23 Apr 2015 21:22:34 -0700
- To: w3ctag/spec-reviews <spec-reviews@noreply.github.com>
- Message-ID: <w3ctag/spec-reviews/pull/54/r29022923@github.com>
> +### ISSUE: Inconsistent Wording in 4.1? > + > +Section 4.1: > +> We will not upgrade cross-origin navigational requests, with the exception of > +> form submissions > + > +I'm confused now because the document otherwise states that cross-origin > +navigational requests will be upgraded if they are in the "upgrade insecure > +navigations set" for a context. > + > +### CLARIFICATION: Violation Reports for Inherited Policy > + > +As mentioned in 6.2, there is a security issue if a document is able to get > +violation reports for cross-origin nested documents (iframes, etc.) which > +inherit upgrade policy. So if a nested document does not specify its reporting > +endpoint, do all reports from the nested document get blocked? Not "blocked" so much as "not sent". Each Document has it's own CSP, and sends reports to that CSP's reporting endpoint. Nested documents will continue to upgrade resources, but the report-only policy that sends reports will only apply to the document with which it was delivered. --- Reply to this email directly or view it on GitHub: https://github.com/w3ctag/spec-reviews/pull/54/files#r29022923
Received on Friday, 24 April 2015 04:23:03 UTC