W3C home > Mailing lists > Public > public-webappsec@w3.org > January 2014

Beacon and CSP

From: Ian Melven <ian.melven@gmail.com>
Date: Wed, 15 Jan 2014 10:16:39 -0800
Message-ID: <CA+0m=Feq4Ob6xTS=eSW9d2z5D7kUM4KcG_JTQq9RjpoCb=ytzQ@mail.gmail.com>
To: "public-webappsec@w3.org" <public-webappsec@w3.org>
Hi,

i was wondering if those on the list have opinions on the interaction
between the recently proposed
W3C Beacon spec (
https://dvcs.w3.org/hg/webperf/raw-file/tip/specs/Beacon/Overview.html) and
CSP

The navigator.sendBeacon API makes a same-origin or cross-origin (with the
requisite CORS check) POST request
asynchronously. It can send arbitrary data in the form of
an ArrayBufferView, Blob, DOMString, or FormData
(possibly subject to encoding/conversion).

Should this POST request be possibly restricted by CSP and if so which
directive would apply ? I would
propose "yes, CSP should apply, using connect-src" as a strawman. I know
others may disagree, see
https://bugzilla.mozilla.org/show_bug.cgi?id=936340#c17 for some examples :)

thank you for your thoughts and consideration.

ian
Received on Wednesday, 15 January 2014 18:17:06 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 14:54:04 UTC