Re: Beacon and CSP

On Wed, Jan 29, 2014 at 8:42 PM, Hill, Brad <bhill@paypal.com> wrote:

> One thing we discussed on the call today is that form-action is about
> sending data away from the page, while connect-arc is about retrieving
> content into the page.  By that division, ping and beacon seem to fit
> better under form-action.
>

I've added ping to CSP 1.1:
https://github.com/w3c/webappsec/commit/f960b5d724799ca50f01abdb64e6180c063c1064

I'm not sure we agreed on the call that Beacon should fall into
'form-action'. In fact, I think we decided the opposite (that it should
fall into 'connect-src'), as it's capable of more than forms are (CORS, et
al).

In any event, Beacon's status should probably be covered in the Beacon spec
(or in a future Fetch integration). I don't think we need to address it
specifically in CSP 1.1.

-mike

--
Mike West <mkwst@google.com>
Google+: https://mkw.st/+, Twitter: @mikewest, Cell: +49 162 10 255 91

Google Germany GmbH, Dienerstrasse 12, 80331 München, Germany
Registergericht und -nummer: Hamburg, HRB 86891
Sitz der Gesellschaft: Hamburg
Geschäftsführer: Graham Law, Christine Elizabeth Flores
(Sorry; I'm legally required to add this exciting detail to emails. Bleh.)

Received on Friday, 7 February 2014 14:41:49 UTC