W3C home > Mailing lists > Public > public-webappsec@w3.org > March 2013

Re: CSP: error handling

From: Mike West <mkwst@google.com>
Date: Mon, 18 Mar 2013 11:39:14 +0100
Message-ID: <CAKXHy=eXvofM7nhR290RvigCcPOkdpBqMF388XKsyqkLRhK+eg@mail.gmail.com>
To: Anne van Kesteren <annevk@annevk.nl>, "dveditz@mozilla.com" <dveditz@mozilla.com>, Ian Melven <imelven@mozilla.com>
Cc: WebAppSec WG <public-webappsec@w3.org>
This seems like a reasonable change. Are there any objections to changing
this language?


Mike West <mkwst@google.com>, Developer Advocate
Google Germany GmbH, Dienerstrasse 12, 80331 München, Germany
Google+: https://mkw.st/+, Twitter: @mikewest, Cell: +49 162 10 255 91

On Tue, Mar 12, 2013 at 1:12 PM, Anne van Kesteren <annevk@annevk.nl> wrote:

> Rather than returning an empty HTTP 400 response, CSP should act as if
> there was a network error. That would be much more consistent with
> error handling we've used elsewhere in the platform. E.g. if CORS goes
> wrong, you'll get a network error.
> FWIW, http://html5.org/temp/fetch.html is the start of drafting the
> fetching model the platform uses and I think once it's a bit more
> mature we should start providing explicit hooks for CSP in it so the
> whole model becomes tightly integrated and you don't have to look in
> various places to see what actually happens when a resource is being
> fetched.
> --
> http://annevankesteren.nl/
Received on Monday, 18 March 2013 10:40:02 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 18:54:31 UTC