- From: andypaicu <notifications@github.com>
- Date: Fri, 16 Nov 2018 05:56:11 -0800
- To: whatwg/fetch <fetch@noreply.github.com>
- Cc: Subscribed <subscribed@noreply.github.com>
Received on Friday, 16 November 2018 13:56:32 UTC
>From the CSP spec point of view, I'm happy to make any changes to use a snapshotted version of the CSP list. I suppose, from my uninformed point of view, responses already have a [CSP list](https://fetch.spec.whatwg.org/#concept-response-csp-list), so a request could also have a snapshot of the CSP list (which could slightly be trimmed down, I doubt `base-uri` for example is relevant). In my ideal world mutable CSP policies don't seem like something anyone would ever use in a legitimate manner, but there is a need to allow `<meta` tags to add CSP because there are servers that don't give control of HTTP headers of the pages they host. Assuming there is no legitimate use case for mutable CSP policies, another idea might be perhaps to "lock" the CSP policies as soon a request is made (or maybe as soon as a CSP check is performed). Thoughts on this? -- You are receiving this because you are subscribed to this thread. Reply to this email directly or view it on GitHub: https://github.com/whatwg/fetch/issues/832#issuecomment-439400167
Received on Friday, 16 November 2018 13:56:32 UTC