W3C home > Mailing lists > Public > public-webappsec@w3.org > January 2014

Re: Beacon and CSP

From: Mike West <mkwst@google.com>
Date: Wed, 29 Jan 2014 08:38:44 -0800
Message-ID: <CAKXHy=c2ennvA9qpd=xOpOhE-17ik7cGwXimdewpdy=nZTpLhQ@mail.gmail.com>
To: Anne van Kesteren <annevk@annevk.nl>
Cc: Ian Melven <ian.melven@gmail.com>, "public-webappsec@w3.org" <public-webappsec@w3.org>
Makes sense. If beacon can do more than form submissions, then it ought to
hit `connect-src` rather than `form-action`.

With regard to <form> changing behavior, can you give more detail about
what plans are in the air? I haven't seen those threads.

--
Mike West <mkwst@google.com>
Google+: https://mkw.st/+, Twitter: @mikewest, Cell: +49 162 10 255 91

Google Germany GmbH, Dienerstrasse 12, 80331 München, Germany
Registergericht und -nummer: Hamburg, HRB 86891
Sitz der Gesellschaft: Hamburg
Geschäftsführer: Graham Law, Christine Elizabeth Flores
(Sorry; I'm legally required to add this exciting detail to emails. Bleh.)


On Fri, Jan 17, 2014 at 3:47 AM, Anne van Kesteren <annevk@annevk.nl> wrote:

> On Fri, Jan 17, 2014 at 1:23 AM, Ian Melven <ian.melven@gmail.com> wrote:
> > form-action seems like another reasonable suggestion since beacon can
> > essentially do a form POST (except subject to CORS).
>
> If it triggers CORS, it can do more than <form>, no?
>
> What's CSP's story if we ever change <form> to be able to do more than
> it can do now (and use CORS)?
>
>
> > I think it adds too
> > much complexity to try and do something like use a different directive
> based
> > on the type of data being sent.
>
> It seems Beacon should follow XMLHttpRequest, EventSource, and such...
>
>
> --
> http://annevankesteren.nl/
>
Received on Wednesday, 29 January 2014 16:39:44 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 14:54:04 UTC