W3C home > Mailing lists > Public > public-webappsec@w3.org > June 2014

Re: CSP, Fetch, and frame-ancestors

From: Anne van Kesteren <annevk@annevk.nl>
Date: Wed, 4 Jun 2014 09:33:13 +0200
Message-ID: <CADnb78i=qMVaTMqOV7LUyMNPpfd4opUWNu2o5YKNoLruy9DXBw@mail.gmail.com>
To: Mike West <mkwst@google.com>
Cc: Brad Hill <hillbrad@gmail.com>, WebAppSec WG <public-webappsec@w3.org>
On Wed, Jun 4, 2014 at 9:18 AM, Mike West <mkwst@google.com> wrote:
> We should be able to determine whether or not to load the resource once we
> process the HTTP response headers, we don't have to wait until the whole
> resource is loaded. Whether or not we should do that in Fetch is a somewhat
> open question, as it would happen somewhere in the middle of step 6.
>
> I suppose we could add a new step 7 which checks the ancestor policy
> (delivered via CSP or via X-Frame-Options) against the ancestor browsing
> contexts associated with the request. I'm not sure how much of that we want
> to bring into Fetch, though. Seems like a layering problem.

If it's not Fetch it seems like this should be coordinated with HTML
at all the places where this would be applicable. Otherwise we lose
track of ordering.


-- 
http://annevankesteren.nl/
Received on Wednesday, 4 June 2014 07:33:41 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 14:54:05 UTC