- From: Mike West <notifications@github.com>
- Date: Mon, 08 Jan 2018 01:54:24 -0800
- To: whatwg/fetch <fetch@noreply.github.com>
- Cc: Subscribed <subscribed@noreply.github.com>
Received on Monday, 8 January 2018 09:54:48 UTC
> `dns-prefetch` and `preconnect` - do we want to block them using CSP or other means? Do they need to be integrated to Fetch? Fetch defines various connection concepts: https://fetch.spec.whatwg.org/#connections, so `preconnect` probably falls in here somewhere (though not as a request, but as part of the "[obtain a connection](https://fetch.spec.whatwg.org/#concept-connection-obtain)" algorithm. It's not clear to me whether Fetch wants to talk about DNS. If not, `dns-prefetch` falls somewhere else. It seems likely that folks who care about exfiltration would be interested in restricting both, as they clearly communicate to third-parties. I'd be fine with treating both as `connect-src`, though, so I don't think we need significant new conceptual definitions. > `prerender` and `next` I've lost track of both of these, honestly. If we've unshipped them, would you mind removing the code? :) > `modulepreload` If it's in HTML, I think I can safely assume that it's setting properties correctly. -- You are receiving this because you are subscribed to this thread. Reply to this email directly or view it on GitHub: https://github.com/whatwg/fetch/issues/658#issuecomment-355922759
Received on Monday, 8 January 2018 09:54:48 UTC