- From: Anne van Kesteren <annevk@annevk.nl>
- Date: Thu, 20 Jun 2013 16:27:59 +0900
- To: Boris Zbarsky <bzbarsky@mit.edu>, Gordon Hemsley <me@gphemsley.org>, Adam Barth <w3c@adambarth.com>
- Cc: WebAppSec WG <public-webappsec@w3.org>
Context: http://wiki.whatwg.org/wiki/Contexts (hah) On Fri, Jun 7, 2013 at 1:35 AM, Boris Zbarsky <bzbarsky@mit.edu> wrote: > We should probably add at least workers, XMLHttpRequest, SVG resource > documents, document.load, XSLT. Probably eventually the components import > stuff. It seems XMLHttpRequest is connect-src. Workers are covered by script-src. HTML component imports are covered by script-src (for now). Not clear about SVG, document.load, and XSLT. Adam? > Does EventSource do a fetch internally? Yes. > I'm not sure whether any UAs fetch DTDs in practice, but if so they should > be added too. I think we should treat that as a bug :-) > <object> might need to be a separate context from "nested browsing" and > "plugin", possibly. It really depends on how the spec for it reads. It seems object-src is defined as being applicable to any kind of fetching <object> / <embed> / <applet> might do. Calling it a plugin context might be somewhat misleading, but I don't have a better idea. -- http://annevankesteren.nl/
Received on Thursday, 20 June 2013 07:28:26 UTC