W3C home > Mailing lists > Public > public-webappsec@w3.org > September 2013

CSP and Fetch

From: Anne van Kesteren <annevk@annevk.nl>
Date: Mon, 30 Sep 2013 13:02:30 -0400
Message-ID: <CADnb78g27sihS=+maf4p_jVt8eVnBvLoj0_kroPRn6RwkZC0WA@mail.gmail.com>
To: WebAppSec WG <public-webappsec@w3.org>
Cc: Yehuda Katz <wycats@gmail.com>, Alex Russell <slightlyoff@google.com>, Adam Barth <w3c@adambarth.com>, Ian Hickson <ian@hixie.ch>
Alex pushed back on merging CSP and Fetch, arguing the Fetch layer
should know nothing about the document. This seems reasonable.

Image loading knows something about the document, but that could be
done pre-network layer I suppose.

How do HSTS and CSP work together? I think HSTS would be network
layer, which means some URLs might be blocked by CSP, even though they
would not have been blocked after a network layer trip. I guess
treating them similar to redirects is fine (and is how they're
implemented in Gecko, mostly, iirc).

Anything else?

I still think we need a "high-level" entry point for people defining
end points so they don't forget about CSP. So instead of invoking
"fetch" directly at the specification level they'd invoke "document
fetch" maybe? Who will own that?

Received on Monday, 30 September 2013 17:02:58 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 18:54:34 UTC