W3C home > Mailing lists > Public > public-webappsec@w3.org > June 2013

Re: broadening default-src semantics

From: Adam Barth <w3c@adambarth.com>
Date: Sat, 1 Jun 2013 01:27:27 -0700
Message-ID: <CAJE5ia9k8ER8p3O6Mp7e4BXvEBGw3uqD9sm6EAULC6HQN6_YcA@mail.gmail.com>
To: Devdatta Akhawe <dev.akhawe@gmail.com>
Cc: Daniel Veditz <dveditz@mozilla.com>, Yehuda Katz <wycats@gmail.com>, "public-webappsec@w3.org" <public-webappsec@w3.org>
On Fri, May 31, 2013 at 7:45 PM, Devdatta Akhawe <dev.akhawe@gmail.com> wrote:
>>> It would be better if it was spec'ed as covering all network requests,
>>> period.
>
> What does "all network requests" or the broader "all resource loads"
> cover? links ? window.open? refresh via the meta header? csp reports?
>
> Or do you mean "secondary resource loads"?
>
> FWIW, I wouldn't mind if it covers everything above, but I am not sure
> browsers are willing to consider such a design.

I imagine we'd spec this in terms of the "fetch" algorithm, which will
give precise answers to all these questions.

Yehuda and I also talked about reversing the table of which directives
default-src affects so that other specs can add directives that plug
into default-src instead of having to rev CSP every time someone wants
to do that.

Adam
Received on Saturday, 1 June 2013 08:28:25 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 14:54:02 UTC