W3C home > Mailing lists > Public > public-webappsec@w3.org > January 2014

Re: CSP and Fetch

From: Anne van Kesteren <annevk@annevk.nl>
Date: Fri, 24 Jan 2014 11:41:32 -0800
Message-ID: <CADnb78j=zzga0jVUP1-=_1Zs_u2DjB-EfPUQ43M3m4o8craX0w@mail.gmail.com>
To: Mike West <mkwst@google.com>
Cc: Boris Zbarsky <bzbarsky@mit.edu>, WebAppSec WG <public-webappsec@w3.org>
On Fri, Jan 24, 2014 at 1:47 AM, Mike West <mkwst@google.com> wrote:
> Great. What can we do to help?

I think I have to do the first step. My idea for the interface based
on discussion with Adam Barth a long time ago is that you pass the CSP
source and CSP policy to fetch. (You need to pass both since fetch has
no link with the document and the policy might change if we allow
programmatic access in the future.)

And then fetch invokes a "CSP check" with the appropriate data. CSP
check would be defined in CSP. If CSP check returns failure, fetch
returns a network error. Otherwise we carry along as before.


-- 
http://annevankesteren.nl/
Received on Friday, 24 January 2014 19:42:01 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 14:54:04 UTC