Re: CSP, Fetch, and Service Workers

On Thu, Feb 6, 2014 at 8:31 PM, Anne van Kesteren <annevk@annevk.nl> wrote:
> 1) What fetch contexts do we want to have? See
>
> * http://lists.w3.org/Archives/Public/public-webappsec/2013Jun/thread.html#msg27
> * http://wiki.whatwg.org/wiki/Contexts
> * https://github.com/slightlyoff/ServiceWorker/issues/140#issuecomment-33190003
>
> Basically, fetch contexts would represent some kind of union between
> CSP and other things that can cause fetches not governed by CSP and be
> slightly more low-level than the CSP primitives as to cater to other
> use cases.
>
> Do people here have opinions on the names we use?

I put something in Fetch now:
http://fetch.spec.whatwg.org/#concept-request-client

CSP can then define that a policy belongs to a global environment. And
that policy has a check algorithm, which given a URL and a context,
returns either yay or nay. Does that make sense?

Fetch will invoke that algorithm before any request (indeed including
before a redirect).

I still think we should change returning a 400 to returning a network error.


-- 
http://annevankesteren.nl/

Received on Wednesday, 23 April 2014 18:04:02 UTC