Re: Beacon and CSP from Ian Melven on 2014-01-17 (public-webappsec@w3.org from January 2014)

From: Ian Melven <ian.melven@gmail.com>
Date: Thu, 16 Jan 2014 16:23:18 -0800
To: Mike West <mkwst@google.com>
Cc: "public-webappsec@w3.org" <public-webappsec@w3.org>
Message-ID: <CA+0m=FdZcAAM0KgbesSit9P+ZOSuq1YWLVCdaxOySCTNQz-9FA@mail.gmail.com>

Hi,


> I'd talked with Mario about this at some point in the past, and suggested
> `form-action` for both <a ping> and Beacon. I'd be fine with `connect-src`
> as well.
>
> Generally, I agree that both ought to be goverened by CSP. Beacon much
> moreso than <a ping>.
>
>
form-action seems like another reasonable suggestion since beacon can
essentially do a form POST (except subject to CORS). I think it adds too
much complexity to try and do something like use a different directive
based on the type of data being sent.

thanks for the thoughts, Mike !

ian

Received on Friday, 17 January 2014 00:23:46 UTC