Re: CSP, Fetch, and frame-ancestors from Mike West on 2014-06-04 (public-webappsec@w3.org from June 2014)

From: Mike West <mkwst@google.com>
Date: Wed, 4 Jun 2014 10:00:39 +0200
To: Anne van Kesteren <annevk@annevk.nl>
Cc: Brad Hill <hillbrad@gmail.com>, WebAppSec WG <public-webappsec@w3.org>
Message-ID: <CAKXHy=edJUUjUOEf6q561+uTOTBf9Ai=kbJJjE9grFywzZiN8g@mail.gmail.com>

On Wed, Jun 4, 2014 at 9:55 AM, Anne van Kesteren <annevk@annevk.nl> wrote:

> I'm assuming that is defined by the TLS/HTTP specifications. Roughly
> what Fetch is doing is defining the missing parts between APIs and
> getting a resource out of a URL.
>

Makes sense.


> I don't see how it's lower than Fetch by the way. You need to process
> all headers before you know if you're going to follow a redirect. So
> it seems like you would know this around step 10 of
> http://fetch.spec.whatwg.org/#concept-fetch


I think it would need to be before step 7 to catch redirects that set
frame-ancestors, right?

-mike

Received on Wednesday, 4 June 2014 08:01:27 UTC