- From: Ilya Grigorik <notifications@github.com>
- Date: Tue, 11 Aug 2015 12:04:44 -0700
- To: whatwg/fetch <fetch@noreply.github.com>
Received on Tuesday, 11 August 2015 19:05:18 UTC
> We cannot allow any of these to be set because they are also used for security checks. We went through this a few times... Yes, and as we discussed before, can we unbundle that? When I say "fetch this as X" I'm specifically thinking of negotiation + prioritization use cases -- today's UA's send different HTTP headers and assign different priorities based on ~type; I want to expose this. For security... * When I use fetch() the fetch is subject to connect-src, regardless of type value. * When I use `<link rel= preload / prefetch / prerender>` those are subject to own x-src (TBD), regardless of type value. Perhaps we're missing an extra column in there to address the security angle.. and the CSP directive prefixes are basically exactly that: object, media, font, script, etc. --- Reply to this email directly or view it on GitHub: https://github.com/whatwg/fetch/issues/93#issuecomment-130020620
Received on Tuesday, 11 August 2015 19:05:18 UTC