W3C home > Mailing lists > Public > public-webappsec@w3.org > June 2014

Re: CSP, Fetch, and frame-ancestors

From: Anne van Kesteren <annevk@annevk.nl>
Date: Wed, 4 Jun 2014 10:44:33 +0200
Message-ID: <CADnb78iYPdUr-T6V=+Pw=8KDf=AXVw2_iRYCAzh4p4fwO80rvw@mail.gmail.com>
To: Mike West <mkwst@google.com>
Cc: Brad Hill <hillbrad@gmail.com>, WebAppSec WG <public-webappsec@w3.org>
On Wed, Jun 4, 2014 at 10:00 AM, Mike West <mkwst@google.com> wrote:
> On Wed, Jun 4, 2014 at 9:55 AM, Anne van Kesteren <annevk@annevk.nl> wrote:
>> I don't see how it's lower than Fetch by the way. You need to process
>> all headers before you know if you're going to follow a redirect. So
>> it seems like you would know this around step 10 of
>> http://fetch.spec.whatwg.org/#concept-fetch
>
> I think it would need to be before step 7 to catch redirects that set
> frame-ancestors, right?

How would that work, exactly?

I guess the other thing here is that this only applies as part of
navigate actions and those never follow redirects automatically (HTML
needs to handle them itself for various reasons), so either way I
think we'd be good.


-- 
http://annevankesteren.nl/
Received on Wednesday, 4 June 2014 08:45:02 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 14:54:05 UTC