Re: CSP and Fetch

On 9/30/13 1:02 PM, Anne van Kesteren wrote:
> Alex pushed back on merging CSP and Fetch, arguing the Fetch layer
> should know nothing about the document. This seems reasonable.


The "Fetch layer" (somewhat broadly defined) needs to know various 
meta-information about the document in practice for all sorts of 
reasons.  Off the top of my head, HTTP 401 handling often needs to show 
UI attached to the relevant document, for example.

The interesting question is what the right set of meta-information is, 
of course.  A priori, there's nothing that says "the CSP policy" 
couldn't be in this set...

> Image loading knows something about the document, but that could be
> done pre-network layer I suppose.

Sort of needs to be: the image loading parts that need to know about the 
document need to run sync from the point of view of the webpage.  :(

> I still think we need a "high-level" entry point for people defining
> end points so they don't forget about CSP. So instead of invoking
> "fetch" directly at the specification level they'd invoke "document
> fetch" maybe?

That seems like "fetch" in all but name to me.


Received on Monday, 30 September 2013 18:01:44 UTC