W3C home > Mailing lists > Public > public-webappsec@w3.org > September 2013

Re: CSP and Fetch

From: Boris Zbarsky <bzbarsky@MIT.EDU>
Date: Mon, 30 Sep 2013 14:01:14 -0400
Message-ID: <5249BC6A.5080702@mit.edu>
To: public-webappsec@w3.org
On 9/30/13 1:02 PM, Anne van Kesteren wrote:
> Alex pushed back on merging CSP and Fetch, arguing the Fetch layer
> should know nothing about the document. This seems reasonable.

Maybe.

The "Fetch layer" (somewhat broadly defined) needs to know various 
meta-information about the document in practice for all sorts of 
reasons.  Off the top of my head, HTTP 401 handling often needs to show 
UI attached to the relevant document, for example.

The interesting question is what the right set of meta-information is, 
of course.  A priori, there's nothing that says "the CSP policy" 
couldn't be in this set...

> Image loading knows something about the document, but that could be
> done pre-network layer I suppose.

Sort of needs to be: the image loading parts that need to know about the 
document need to run sync from the point of view of the webpage.  :(

> I still think we need a "high-level" entry point for people defining
> end points so they don't forget about CSP. So instead of invoking
> "fetch" directly at the specification level they'd invoke "document
> fetch" maybe?

That seems like "fetch" in all but name to me.

-Boris
Received on Monday, 30 September 2013 18:01:44 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 14:54:02 UTC