- From: Anne van Kesteren <annevk@annevk.nl>
- Date: Tue, 18 Nov 2014 10:11:01 +0100
- To: Deian Stefan <deian@cs.stanford.edu>
- Cc: Brian Smith <brian@briansmith.org>, Brad Hill <hillbrad@fb.com>, Ilya Grigorik <ilya@igvita.com>, Boris Zbarsky <bzbarsky@mit.edu>, "public-webappsec@w3.org" <public-webappsec@w3.org>
On Tue, Nov 18, 2014 at 3:52 AM, Deian Stefan <deian@cs.stanford.edu> wrote: > Brian Smith <brian@briansmith.org> writes: >> Devdatta brought up the point last week that the CSP drafts do not say >> that the browser MUST NOT issue the HTTP (or whatever) request when >> they block a fetch due to CSP violation. That is, it is perfectly >> legal to make the HTTP request (optionally caching it) and then ignore >> it, according to the current wording in the CSP drafts. However, I >> think this is a bug that should be fixed. > > +1 I think this should be fixed as well. This would be fixed by a Fetch-based rewrite, that's planned for CSP3... Though note that due to service workers CSP will likely not be able to prevent all fetches going forward (since service workers have their own policy) and that therefore we're looking into blocking on certain responses as well. -- https://annevankesteren.nl/
Received on Tuesday, 18 November 2014 09:11:28 UTC