- From: Anne van Kesteren <annevk@annevk.nl>
- Date: Mon, 30 Sep 2013 13:02:30 -0400
- To: WebAppSec WG <public-webappsec@w3.org>
- Cc: Yehuda Katz <wycats@gmail.com>, Alex Russell <slightlyoff@google.com>, Adam Barth <w3c@adambarth.com>, Ian Hickson <ian@hixie.ch>
Alex pushed back on merging CSP and Fetch, arguing the Fetch layer should know nothing about the document. This seems reasonable. Image loading knows something about the document, but that could be done pre-network layer I suppose. How do HSTS and CSP work together? I think HSTS would be network layer, which means some URLs might be blocked by CSP, even though they would not have been blocked after a network layer trip. I guess treating them similar to redirects is fine (and is how they're implemented in Gecko, mostly, iirc). Anything else? I still think we need a "high-level" entry point for people defining end points so they don't forget about CSP. So instead of invoking "fetch" directly at the specification level they'd invoke "document fetch" maybe? Who will own that? -- http://annevankesteren.nl/
Received on Monday, 30 September 2013 17:02:58 UTC