Re: [whatwg/fetch] "Set internalResponse’s CSP list" never sets it on the non-internal response? (#1002) from Domenic Denicola on 2020-02-24 (public-webapps-github@w3.org from February 2020)

From: Domenic Denicola <notifications@github.com>
Date: Mon, 24 Feb 2020 08:22:26 -0800
To: whatwg/fetch <fetch@noreply.github.com>
Cc: Subscribed <subscribed@noreply.github.com>
Message-ID: <whatwg/fetch/issues/1002/590414626@github.com>

Hmm, so I guess you are comparing:

 - Doing the parsing once and storing the parsed results on the response (e.g. https://w3c.github.io/webappsec-csp/#set-response-csp-list and then all the places in https://w3c.github.io/webappsec-csp/#html-integration that use response's CSP list), vs.
- Having each place that would use the CSP list recieve a response and parse the header there?

As I said, the former (i.e. the current strategy) seems to match Chrome's implementation more, and seems pretty nice to me. But I guess they are isomorphic; you just need to take more care to synchronize all the different parsing sites if you take the latter approach.

-- 
You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub:
https://github.com/whatwg/fetch/issues/1002#issuecomment-590414626

Received on Monday, 24 February 2020 16:22:38 UTC