- From: Adam Barth <w3c@adambarth.com>
- Date: Sat, 1 Jun 2013 01:27:27 -0700
- To: Devdatta Akhawe <dev.akhawe@gmail.com>
- Cc: Daniel Veditz <dveditz@mozilla.com>, Yehuda Katz <wycats@gmail.com>, "public-webappsec@w3.org" <public-webappsec@w3.org>
On Fri, May 31, 2013 at 7:45 PM, Devdatta Akhawe <dev.akhawe@gmail.com> wrote: >>> It would be better if it was spec'ed as covering all network requests, >>> period. > > What does "all network requests" or the broader "all resource loads" > cover? links ? window.open? refresh via the meta header? csp reports? > > Or do you mean "secondary resource loads"? > > FWIW, I wouldn't mind if it covers everything above, but I am not sure > browsers are willing to consider such a design. I imagine we'd spec this in terms of the "fetch" algorithm, which will give precise answers to all these questions. Yehuda and I also talked about reversing the table of which directives default-src affects so that other specs can add directives that plug into default-src instead of having to rev CSP every time someone wants to do that. Adam
Received on Saturday, 1 June 2013 08:28:25 UTC