- From: Anne van Kesteren <annevk@annevk.nl>
- Date: Wed, 23 Apr 2014 20:03:34 +0200
- To: WebAppSec WG <public-webappsec@w3.org>
- Cc: Jake Archibald <jakearchibald@google.com>, Jungkee Song <jungkee.song@samsung.com>, Alex Russell <slightlyoff@google.com>, Dominic Cooney <dominicc@google.com>
On Thu, Feb 6, 2014 at 8:31 PM, Anne van Kesteren <annevk@annevk.nl> wrote: > 1) What fetch contexts do we want to have? See > > * http://lists.w3.org/Archives/Public/public-webappsec/2013Jun/thread.html#msg27 > * http://wiki.whatwg.org/wiki/Contexts > * https://github.com/slightlyoff/ServiceWorker/issues/140#issuecomment-33190003 > > Basically, fetch contexts would represent some kind of union between > CSP and other things that can cause fetches not governed by CSP and be > slightly more low-level than the CSP primitives as to cater to other > use cases. > > Do people here have opinions on the names we use? I put something in Fetch now: http://fetch.spec.whatwg.org/#concept-request-client CSP can then define that a policy belongs to a global environment. And that policy has a check algorithm, which given a URL and a context, returns either yay or nay. Does that make sense? Fetch will invoke that algorithm before any request (indeed including before a redirect). I still think we should change returning a 400 to returning a network error. -- http://annevankesteren.nl/
Received on Wednesday, 23 April 2014 18:04:02 UTC