Re: Beacon and CSP from Hill, Brad on 2014-01-29 (public-webappsec@w3.org from January 2014)

From: Hill, Brad <bhill@paypal.com>
Date: Wed, 29 Jan 2014 19:42:05 +0000
To: Garrett Robinson <grobinson@mozilla.com>
CC: "public-webappsec@w3.org" <public-webappsec@w3.org>
Message-ID: <EE739336-14B4-41A0-9683-0B4E340F8195@paypal.com>

One thing we discussed on the call today is that form-action is about sending data away from the page, while connect-arc is about retrieving content into the page.  By that division, ping and beacon seem to fit better under form-action.

Brad

> On Jan 29, 2014, at 11:38 AM, "Garrett Robinson" <grobinson@mozilla.com> wrote:
> 
> I also support including both <a ping> and beacon under connect-src.
> 
> Do we want to include this in 1.1? I know browser's implementations are
> incomplete (the Beacon spec is still being developed as well), but it
> seems like a trivial addition: just add two bullet points to the list in
> the connect-src section.
> 
>> On 01/29/2014 08:38 AM, Mike West wrote:
>> Makes sense. If beacon can do more than form submissions, then it ought
>> to hit `connect-src` rather than `form-action`.
>> 
>> With regard to <form> changing behavior, can you give more detail about
>> what plans are in the air? I haven't seen those threads.
>> 
>> --
>> Mike West <mkwst@google.com <mailto:mkwst@google.com>>
>> Google+: https://mkw.st/+, Twitter: @mikewest, Cell: +49 162 10 255 91
>> 
>> Google Germany GmbH, Dienerstrasse 12, 80331 München, Germany
>> Registergericht und -nummer: Hamburg, HRB 86891
>> Sitz der Gesellschaft: Hamburg
>> Geschäftsführer: Graham Law, Christine Elizabeth Flores
>> (Sorry; I'm legally required to add this exciting detail to emails. Bleh.)
>> 
>> 
>> On Fri, Jan 17, 2014 at 3:47 AM, Anne van Kesteren <annevk@annevk.nl
>> <mailto:annevk@annevk.nl>> wrote:
>> 
>>    On Fri, Jan 17, 2014 at 1:23 AM, Ian Melven <ian.melven@gmail.com
>>    <mailto:ian.melven@gmail.com>> wrote:
>>> form-action seems like another reasonable suggestion since beacon can
>>> essentially do a form POST (except subject to CORS).
>> 
>>    If it triggers CORS, it can do more than <form>, no?
>> 
>>    What's CSP's story if we ever change <form> to be able to do more than
>>    it can do now (and use CORS)?
>> 
>> 
>>> I think it adds too
>>> much complexity to try and do something like use a different
>>    directive based
>>> on the type of data being sent.
>> 
>>    It seems Beacon should follow XMLHttpRequest, EventSource, and such...
>> 
>> 
>>    --
>>    http://annevankesteren.nl/
>> 
>> 
>

Received on Wednesday, 29 January 2014 19:42:33 UTC