- From: Domenic Denicola <notifications@github.com>
- Date: Sat, 22 Feb 2020 07:14:52 -0800
- To: whatwg/fetch <fetch@noreply.github.com>
- Cc: Subscribed <subscribed@noreply.github.com>
Received on Saturday, 22 February 2020 15:15:04 UTC
> The idea is that fields that are not filtered remain the same. That probably ought to be clarified. Oh, interesting, so "Set response to the following filtered response with response as its internal response" is meant to create a sort of live two-way binding, where changes to the internal response also affect the filtered response? Very interesting. The spec text works as intended then, but yeah, it's not super-clear. Maybe I can try to submit something to clarify. > It's also not entirely clear to me anymore why we store CSP list on responses though. Working with a similar setup for origin policy, I can say that this setup is quite convenient. Various algorithms take a response as input and really want to look at the CSP list (or origin policy). For example most of the sub-algorithms in https://w3c.github.io/webappsec-csp/#html-integration and their call sites in HTML. > Is there ever a response without a Content-Security-Policy header that still ends up with a CSP list? Well, after origin policy, there will be :). -- You are receiving this because you are subscribed to this thread. Reply to this email directly or view it on GitHub: https://github.com/whatwg/fetch/issues/1002#issuecomment-589965329
Received on Saturday, 22 February 2020 15:15:04 UTC