W3C home > Mailing lists > Public > public-webappsec@w3.org > February 2014

Re: Beacon and CSP

From: Mike West <mkwst@google.com>
Date: Fri, 7 Feb 2014 15:40:59 +0100
Message-ID: <CAKXHy=fvbmAptjAwKQe_S=JfXGA_E_DuMDVE-JmzDzPxeSyWww@mail.gmail.com>
To: "Hill, Brad" <bhill@paypal.com>, Anne van Kesteren <annevk@annevk.nl>
Cc: Garrett Robinson <grobinson@mozilla.com>, "public-webappsec@w3.org" <public-webappsec@w3.org>
On Wed, Jan 29, 2014 at 8:42 PM, Hill, Brad <bhill@paypal.com> wrote:

> One thing we discussed on the call today is that form-action is about
> sending data away from the page, while connect-arc is about retrieving
> content into the page.  By that division, ping and beacon seem to fit
> better under form-action.
>

I've added ping to CSP 1.1:
https://github.com/w3c/webappsec/commit/f960b5d724799ca50f01abdb64e6180c063c1064

I'm not sure we agreed on the call that Beacon should fall into
'form-action'. In fact, I think we decided the opposite (that it should
fall into 'connect-src'), as it's capable of more than forms are (CORS, et
al).

In any event, Beacon's status should probably be covered in the Beacon spec
(or in a future Fetch integration). I don't think we need to address it
specifically in CSP 1.1.

-mike

--
Mike West <mkwst@google.com>
Google+: https://mkw.st/+, Twitter: @mikewest, Cell: +49 162 10 255 91

Google Germany GmbH, Dienerstrasse 12, 80331 München, Germany
Registergericht und -nummer: Hamburg, HRB 86891
Sitz der Gesellschaft: Hamburg
Geschäftsführer: Graham Law, Christine Elizabeth Flores
(Sorry; I'm legally required to add this exciting detail to emails. Bleh.)
Received on Friday, 7 February 2014 14:41:49 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 14:54:04 UTC