- From: Anne van Kesteren <annevk@annevk.nl>
- Date: Wed, 4 Jun 2014 09:33:13 +0200
- To: Mike West <mkwst@google.com>
- Cc: Brad Hill <hillbrad@gmail.com>, WebAppSec WG <public-webappsec@w3.org>
On Wed, Jun 4, 2014 at 9:18 AM, Mike West <mkwst@google.com> wrote: > We should be able to determine whether or not to load the resource once we > process the HTTP response headers, we don't have to wait until the whole > resource is loaded. Whether or not we should do that in Fetch is a somewhat > open question, as it would happen somewhere in the middle of step 6. > > I suppose we could add a new step 7 which checks the ancestor policy > (delivered via CSP or via X-Frame-Options) against the ancestor browsing > contexts associated with the request. I'm not sure how much of that we want > to bring into Fetch, though. Seems like a layering problem. If it's not Fetch it seems like this should be coordinated with HTML at all the places where this would be applicable. Otherwise we lose track of ordering. -- http://annevankesteren.nl/
Received on Wednesday, 4 June 2014 07:33:41 UTC