W3C home > Mailing lists > Public > public-webappsec@w3.org > March 2013

CSP: error handling

From: Anne van Kesteren <annevk@annevk.nl>
Date: Tue, 12 Mar 2013 12:12:36 +0000
Message-ID: <CADnb78hLXXe+piw+OtENye8yNpTNJOyW-PeWn2ZJcYeqoL9T8A@mail.gmail.com>
To: WebAppSec WG <public-webappsec@w3.org>
Rather than returning an empty HTTP 400 response, CSP should act as if
there was a network error. That would be much more consistent with
error handling we've used elsewhere in the platform. E.g. if CORS goes
wrong, you'll get a network error.

FWIW, http://html5.org/temp/fetch.html is the start of drafting the
fetching model the platform uses and I think once it's a bit more
mature we should start providing explicit hooks for CSP in it so the
whole model becomes tightly integrated and you don't have to look in
various places to see what actually happens when a resource is being

Received on Tuesday, 12 March 2013 12:13:09 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 18:54:31 UTC