W3C home > Mailing lists > Public > public-webappsec@w3.org > June 2014

Re: CSP, Fetch, and frame-ancestors

From: Anne van Kesteren <annevk@annevk.nl>
Date: Wed, 4 Jun 2014 09:33:13 +0200
Message-ID: <CADnb78i=qMVaTMqOV7LUyMNPpfd4opUWNu2o5YKNoLruy9DXBw@mail.gmail.com>
To: Mike West <mkwst@google.com>
Cc: Brad Hill <hillbrad@gmail.com>, WebAppSec WG <public-webappsec@w3.org>
On Wed, Jun 4, 2014 at 9:18 AM, Mike West <mkwst@google.com> wrote:
> We should be able to determine whether or not to load the resource once we
> process the HTTP response headers, we don't have to wait until the whole
> resource is loaded. Whether or not we should do that in Fetch is a somewhat
> open question, as it would happen somewhere in the middle of step 6.
> I suppose we could add a new step 7 which checks the ancestor policy
> (delivered via CSP or via X-Frame-Options) against the ancestor browsing
> contexts associated with the request. I'm not sure how much of that we want
> to bring into Fetch, though. Seems like a layering problem.

If it's not Fetch it seems like this should be coordinated with HTML
at all the places where this would be applicable. Otherwise we lose
track of ordering.

Received on Wednesday, 4 June 2014 07:33:41 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 14:54:05 UTC