Re: broadening default-src semantics from Devdatta Akhawe on 2013-06-01 (public-webappsec@w3.org from June 2013)

From: Devdatta Akhawe <dev.akhawe@gmail.com>
Date: Fri, 31 May 2013 19:45:16 -0700
To: Daniel Veditz <dveditz@mozilla.com>
Cc: Yehuda Katz <wycats@gmail.com>, public-webappsec@w3.org
Message-ID: <CAPfop_3vd2QVjF+Osvc76YO0Jby3R7H3+KWdd5sf-U=aUTgc3A@mail.gmail.com>

>> It would be better if it was spec'ed as covering all network requests,
>> period.

What does "all network requests" or the broader "all resource loads"
cover? links ? window.open? refresh via the meta header? csp reports?

Or do you mean "secondary resource loads"?

FWIW, I wouldn't mind if it covers everything above, but I am not sure
browsers are willing to consider such a design.

thanks
Dev

Received on Saturday, 1 June 2013 02:46:07 UTC