- From: Garrett Robinson <grobinson@mozilla.com>
- Date: Wed, 29 Jan 2014 11:37:47 -0800
- To: public-webappsec@w3.org
I also support including both <a ping> and beacon under connect-src. Do we want to include this in 1.1? I know browser's implementations are incomplete (the Beacon spec is still being developed as well), but it seems like a trivial addition: just add two bullet points to the list in the connect-src section. On 01/29/2014 08:38 AM, Mike West wrote: > Makes sense. If beacon can do more than form submissions, then it ought > to hit `connect-src` rather than `form-action`. > > With regard to <form> changing behavior, can you give more detail about > what plans are in the air? I haven't seen those threads. > > -- > Mike West <mkwst@google.com <mailto:mkwst@google.com>> > Google+: https://mkw.st/+, Twitter: @mikewest, Cell: +49 162 10 255 91 > > Google Germany GmbH, Dienerstrasse 12, 80331 München, Germany > Registergericht und -nummer: Hamburg, HRB 86891 > Sitz der Gesellschaft: Hamburg > Geschäftsführer: Graham Law, Christine Elizabeth Flores > (Sorry; I'm legally required to add this exciting detail to emails. Bleh.) > > > On Fri, Jan 17, 2014 at 3:47 AM, Anne van Kesteren <annevk@annevk.nl > <mailto:annevk@annevk.nl>> wrote: > > On Fri, Jan 17, 2014 at 1:23 AM, Ian Melven <ian.melven@gmail.com > <mailto:ian.melven@gmail.com>> wrote: > > form-action seems like another reasonable suggestion since beacon can > > essentially do a form POST (except subject to CORS). > > If it triggers CORS, it can do more than <form>, no? > > What's CSP's story if we ever change <form> to be able to do more than > it can do now (and use CORS)? > > > > I think it adds too > > much complexity to try and do something like use a different > directive based > > on the type of data being sent. > > It seems Beacon should follow XMLHttpRequest, EventSource, and such... > > > -- > http://annevankesteren.nl/ > >
Received on Wednesday, 29 January 2014 19:38:15 UTC