W3C home > Mailing lists > Public > public-webappsec@w3.org > November 2014

[CSP] PING-- CSP vs. Fetch

From: Daniel Veditz <dveditz@mozilla.com>
Date: Fri, 14 Nov 2014 17:18:38 -0800
Message-ID: <5466A9EE.2050107@mozilla.com>
To: "public-webappsec@w3.org" <public-webappsec@w3.org>
In the CSP Level 2 spec PING ("hyperlink auditing") shows up under
form-action[1]. In Fetch it's listed as connect-src[2]. Both Fetch and
CSP2 put sendBeacon() under connect-src.

Since we want to integrate CSP and Fetch the two specs should agree.

[1]
https://w3c.github.io/webappsec/specs/content-security-policy/#directive-form-action
[2] https://fetch.spec.whatwg.org/#requests

I could make reasonably persuasive arguments for putting either feature
under either directive, as well as why the two should be treated the
same or why doing so is not important. If anything sendBeacon() seems
more "form-ish" than <a ping>. In theory putting PING under form-action
(which does not fall-back to default-src) seems to solve backwards
compat problems of applying CSP2 to a CSP1 page. For Gecko, at least, <a
ping> was directly controlled by default-src in our CSP1 implementation
so if anything moving it to form-action could reduce restrictions on
existing pages. We doubt we'd be breaking any pages if we put it under
connect-src.

Of the two existing specs I'd personally prefer going with the current
state of the Fetch spec. "ping" will not make authors think of forms.

-Dan Veditz
Received on Saturday, 15 November 2014 01:19:11 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 14:54:08 UTC