- From: Anne van Kesteren <annevk@annevk.nl>
- Date: Tue, 25 Jun 2013 21:41:42 +0900
- To: Adam Barth <w3c@adambarth.com>, Ian Hickson <ian@hixie.ch>
- Cc: WebAppSec WG <public-webappsec@w3.org>
On Sun, Jun 23, 2013 at 1:54 PM, Adam Barth <w3c@adambarth.com> wrote: > Yeah, I'm happy to re-write that section once the fetch spec provides > the proper hooks. So it seems for fetching you need to know which Document is in scope and what the API is (e.g. image-src). However, if we want fetching to happen of-the-main-thread we don't want a hard dependency on the Document object so you need to abstract out. We could either do this by passing the CSP policy on a per-fetch basis or have something like a "fetch group" through which individual fetches are queued. I believe the latter is closer to what implementations have today. That would also make it easier to standardize the policy for image loading consistently across HTML, CSS, and SVG (that using the same URL avoids another HTTP request and goes straight to the cache). Not entirely clear to me what the best forum to discuss these issues is, but for now I suppose this will do. > If you like, we can use a different context for fetch-based APIs > (e.g., XMLHttpRequest) and WebSockets. The connect-src directive can > say that it applies to both contexts. Seems fine as is. -- http://annevankesteren.nl/
Received on Tuesday, 25 June 2013 12:42:13 UTC