W3C home > Mailing lists > Public > public-webappsec@w3.org > June 2013

Re: Fetching contexts

From: Anne van Kesteren <annevk@annevk.nl>
Date: Thu, 20 Jun 2013 16:27:59 +0900
Message-ID: <CADnb78hFU-aiAVetL0rrpp-EyaatWnV+n+WM9sP67aAXM2DL3Q@mail.gmail.com>
To: Boris Zbarsky <bzbarsky@mit.edu>, Gordon Hemsley <me@gphemsley.org>, Adam Barth <w3c@adambarth.com>
Cc: WebAppSec WG <public-webappsec@w3.org>
Context: http://wiki.whatwg.org/wiki/Contexts (hah)

On Fri, Jun 7, 2013 at 1:35 AM, Boris Zbarsky <bzbarsky@mit.edu> wrote:
> We should probably add at least workers, XMLHttpRequest, SVG resource
> documents, document.load, XSLT.  Probably eventually the components import
> stuff.

It seems XMLHttpRequest is connect-src. Workers are covered by
script-src.  HTML component imports are covered by script-src (for

Not clear about SVG, document.load, and XSLT. Adam?

> Does EventSource do a fetch internally?


> I'm not sure whether any UAs fetch DTDs in practice, but if so they should
> be added too.

I think we should treat that as a bug :-)

> <object> might need to be a separate context from "nested browsing" and
> "plugin", possibly.  It really depends on how the spec for it reads.

It seems object-src is defined as being applicable to any kind of
fetching <object> / <embed> / <applet> might do. Calling it a plugin
context might be somewhat misleading, but I don't have a better idea.

Received on Thursday, 20 June 2013 07:28:26 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 18:54:33 UTC