W3C home > Mailing lists > Public > public-webappsec@w3.org > March 2013

Re: CSP: set of report URIs

From: Anne van Kesteren <annevk@annevk.nl>
Date: Sat, 23 Mar 2013 19:37:37 +0000
Message-ID: <CADnb78jMDL+Wvf8iDwzf__Hi43p40-Lbi-Haw85vFwSGS3ZeZg@mail.gmail.com>
To: WebAppSec WG <public-webappsec@w3.org>
On Tue, Mar 19, 2013 at 11:16 AM, Anne van Kesteren <annevk@annevk.nl> wrote:
> Is this set of URLs guaranteed to be same-origin somehow? Doing a
> cross-origin POST request with a JSON entity body is not something
> either <form> or XMLHttpRequest with CORS can do so would require at
> least a CORS preflight.

Note also that the invocation of fetch that is used does not limit
credentials in any way. That seems like a bug.

I created http://wiki.whatwg.org/wiki/HTTP_Fetch_Policy by the way
where I try to document what kind of requests can be made from a
website. The idea is to figure out if we actually have any kind of
policy in place here or if we're just doing something making wild
guesses about whether what we do is secure or not for the third
party... I have the feeling we're quite inconsistent.

Received on Saturday, 23 March 2013 19:38:04 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 18:54:32 UTC