W3C home > Mailing lists > Public > public-webappsec@w3.org > November 2014

Re: [CSP] Clarifications regarding the HTTP LINK Header

From: Anne van Kesteren <annevk@annevk.nl>
Date: Tue, 18 Nov 2014 10:11:01 +0100
Message-ID: <CADnb78j_w0=krmW0Ji=7q9ceBpUB6HCxddwyrFm=yrhX+j8sow@mail.gmail.com>
To: Deian Stefan <deian@cs.stanford.edu>
Cc: Brian Smith <brian@briansmith.org>, Brad Hill <hillbrad@fb.com>, Ilya Grigorik <ilya@igvita.com>, Boris Zbarsky <bzbarsky@mit.edu>, "public-webappsec@w3.org" <public-webappsec@w3.org>
On Tue, Nov 18, 2014 at 3:52 AM, Deian Stefan <deian@cs.stanford.edu> wrote:
> Brian Smith <brian@briansmith.org> writes:
>> Devdatta brought up the point last week that the CSP drafts do not say
>> that the browser MUST NOT issue the HTTP (or whatever) request when
>> they block a fetch due to CSP violation. That is, it is perfectly
>> legal to make the HTTP request (optionally caching it) and then ignore
>> it, according to the current wording in the CSP drafts. However, I
>> think this is a bug that should be fixed.
> +1 I think this should be fixed as well.

This would be fixed by a Fetch-based rewrite, that's planned for
CSP3... Though note that due to service workers CSP will likely not be
able to prevent all fetches going forward (since service workers have
their own policy) and that therefore we're looking into blocking on
certain responses as well.

Received on Tuesday, 18 November 2014 09:11:28 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 18:54:43 UTC