W3C home > Mailing lists > Public > public-webappsec@w3.org > November 2014

Re: [CSP] Clarifications regarding the HTTP LINK Header

From: Deian Stefan <deian@cs.stanford.edu>
Date: Mon, 17 Nov 2014 18:52:52 -0800
To: Brian Smith <brian@briansmith.org>, Brad Hill <hillbrad@fb.com>
Cc: Ilya Grigorik <ilya@igvita.com>, Anne van Kesteren <annevk@annevk.nl>, Boris Zbarsky <bzbarsky@mit.edu>, "public-webappsec\@w3.org" <public-webappsec@w3.org>
Message-ID: <871tp12pa3.fsf@cs.stanford.edu>

Brian Smith <brian@briansmith.org> writes:
> Devdatta brought up the point last week that the CSP drafts do not say
> that the browser MUST NOT issue the HTTP (or whatever) request when
> they block a fetch due to CSP violation. That is, it is perfectly
> legal to make the HTTP request (optionally caching it) and then ignore
> it, according to the current wording in the CSP drafts. However, I
> think this is a bug that should be fixed.

+1 I think this should be fixed as well.
Received on Tuesday, 18 November 2014 02:53:19 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 18:54:43 UTC