Re: CSP: error handling from Mike West on 2013-03-18 (public-webappsec@w3.org from March 2013)

From: Mike West <mkwst@google.com>
Date: Mon, 18 Mar 2013 11:39:14 +0100
To: Anne van Kesteren <annevk@annevk.nl>, "dveditz@mozilla.com" <dveditz@mozilla.com>, Ian Melven <imelven@mozilla.com>
Cc: WebAppSec WG <public-webappsec@w3.org>
Message-ID: <CAKXHy=eXvofM7nhR290RvigCcPOkdpBqMF388XKsyqkLRhK+eg@mail.gmail.com>

This seems like a reasonable change. Are there any objections to changing
this language?

-mike

--
Mike West <mkwst@google.com>, Developer Advocate
Google Germany GmbH, Dienerstrasse 12, 80331 München, Germany
Google+: https://mkw.st/+, Twitter: @mikewest, Cell: +49 162 10 255 91


On Tue, Mar 12, 2013 at 1:12 PM, Anne van Kesteren <annevk@annevk.nl> wrote:

> Rather than returning an empty HTTP 400 response, CSP should act as if
> there was a network error. That would be much more consistent with
> error handling we've used elsewhere in the platform. E.g. if CORS goes
> wrong, you'll get a network error.
>
> FWIW, http://html5.org/temp/fetch.html is the start of drafting the
> fetching model the platform uses and I think once it's a bit more
> mature we should start providing explicit hooks for CSP in it so the
> whole model becomes tightly integrated and you don't have to look in
> various places to see what actually happens when a resource is being
> fetched.
>
>
> --
> http://annevankesteren.nl/
>
>

Received on Monday, 18 March 2013 10:40:02 UTC