W3C home > Mailing lists > Public > public-webappsec@w3.org > January 2014

Re: Beacon and CSP

From: Garrett Robinson <grobinson@mozilla.com>
Date: Wed, 29 Jan 2014 11:37:47 -0800
Message-ID: <52E9588B.9070805@mozilla.com>
To: public-webappsec@w3.org
I also support including both <a ping> and beacon under connect-src.

Do we want to include this in 1.1? I know browser's implementations are
incomplete (the Beacon spec is still being developed as well), but it
seems like a trivial addition: just add two bullet points to the list in
the connect-src section.

On 01/29/2014 08:38 AM, Mike West wrote:
> Makes sense. If beacon can do more than form submissions, then it ought
> to hit `connect-src` rather than `form-action`.
> 
> With regard to <form> changing behavior, can you give more detail about
> what plans are in the air? I haven't seen those threads.
> 
> --
> Mike West <mkwst@google.com <mailto:mkwst@google.com>>
> Google+: https://mkw.st/+, Twitter: @mikewest, Cell: +49 162 10 255 91
> 
> Google Germany GmbH, Dienerstrasse 12, 80331 München, Germany
> Registergericht und -nummer: Hamburg, HRB 86891
> Sitz der Gesellschaft: Hamburg
> Geschäftsführer: Graham Law, Christine Elizabeth Flores
> (Sorry; I'm legally required to add this exciting detail to emails. Bleh.)
> 
> 
> On Fri, Jan 17, 2014 at 3:47 AM, Anne van Kesteren <annevk@annevk.nl
> <mailto:annevk@annevk.nl>> wrote:
> 
>     On Fri, Jan 17, 2014 at 1:23 AM, Ian Melven <ian.melven@gmail.com
>     <mailto:ian.melven@gmail.com>> wrote:
>     > form-action seems like another reasonable suggestion since beacon can
>     > essentially do a form POST (except subject to CORS).
> 
>     If it triggers CORS, it can do more than <form>, no?
> 
>     What's CSP's story if we ever change <form> to be able to do more than
>     it can do now (and use CORS)?
> 
> 
>     > I think it adds too
>     > much complexity to try and do something like use a different
>     directive based
>     > on the type of data being sent.
> 
>     It seems Beacon should follow XMLHttpRequest, EventSource, and such...
> 
> 
>     --
>     http://annevankesteren.nl/
> 
> 
Received on Wednesday, 29 January 2014 19:38:15 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 14:54:04 UTC