W3C home > Mailing lists > Public > public-webappsec@w3.org > June 2013

Re: CSP: connect-src

From: Anne van Kesteren <annevk@annevk.nl>
Date: Tue, 25 Jun 2013 21:41:42 +0900
Message-ID: <CADnb78iN=5tyiV1JbUzd9XqBSW0qDbqtBNWFD8F7etPnyAbT5w@mail.gmail.com>
To: Adam Barth <w3c@adambarth.com>, Ian Hickson <ian@hixie.ch>
Cc: WebAppSec WG <public-webappsec@w3.org>
On Sun, Jun 23, 2013 at 1:54 PM, Adam Barth <w3c@adambarth.com> wrote:
> Yeah, I'm happy to re-write that section once the fetch spec provides
> the proper hooks.

So it seems for fetching you need to know which Document is in scope
and what the API is (e.g. image-src). However, if we want fetching to
happen of-the-main-thread we don't want a hard dependency on the
Document object so you need to abstract out. We could either do this
by passing the CSP policy on a per-fetch basis or have something like
a "fetch group" through which individual fetches are queued. I believe
the latter is closer to what implementations have today.

That would also make it easier to standardize the policy for image
loading consistently across HTML, CSS, and SVG (that using the same
URL avoids another HTTP request and goes straight to the cache).

Not entirely clear to me what the best forum to discuss these issues
is, but for now I suppose this will do.

> If you like, we can use a different context for fetch-based APIs
> (e.g., XMLHttpRequest) and WebSockets.  The connect-src directive can
> say that it applies to both contexts.

Seems fine as is.

Received on Tuesday, 25 June 2013 12:42:13 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 18:54:33 UTC