Re: Beacon and CSP from Mike West on 2014-01-16 (public-webappsec@w3.org from January 2014)

From: Mike West <mkwst@google.com>
Date: Thu, 16 Jan 2014 09:57:42 +0100
To: Ian Melven <ian.melven@gmail.com>
Cc: "public-webappsec@w3.org" <public-webappsec@w3.org>
Message-ID: <CAKXHy=eUqd=H8i=TOekNCq+7XkbUh5D7kvXQdvj7yzsuW4pb0w@mail.gmail.com>

On Wed, Jan 15, 2014 at 7:16 PM, Ian Melven <ian.melven@gmail.com> wrote:

> Should this POST request be possibly restricted by CSP and if so which
> directive would apply ? I would
> propose "yes, CSP should apply, using connect-src" as a strawman. I know
> others may disagree, see
> https://bugzilla.mozilla.org/show_bug.cgi?id=936340#c17 for some examples
> :)
>

I'd talked with Mario about this at some point in the past, and suggested
`form-action` for both <a ping> and Beacon. I'd be fine with `connect-src`
as well.

Generally, I agree that both ought to be goverened by CSP. Beacon much
moreso than <a ping>.

-mike

Received on Thursday, 16 January 2014 08:58:31 UTC