CSP and Fetch

Alex pushed back on merging CSP and Fetch, arguing the Fetch layer
should know nothing about the document. This seems reasonable.

Image loading knows something about the document, but that could be
done pre-network layer I suppose.

How do HSTS and CSP work together? I think HSTS would be network
layer, which means some URLs might be blocked by CSP, even though they
would not have been blocked after a network layer trip. I guess
treating them similar to redirects is fine (and is how they're
implemented in Gecko, mostly, iirc).

Anything else?


I still think we need a "high-level" entry point for people defining
end points so they don't forget about CSP. So instead of invoking
"fetch" directly at the specification level they'd invoke "document
fetch" maybe? Who will own that?


-- 
http://annevankesteren.nl/

Received on Monday, 30 September 2013 17:02:58 UTC