Re: CfC: Transition CSP2 to CR.

On Wed, Jan 28, 2015 at 1:56 AM, Francois Marier <francois@mozilla.com>
wrote:

> On 28/01/15 04:42, Mike West wrote:
> > Are there other issues which I've missed, or insufficiently addressed?
>
> It would be good to make a decision on whether or not to sync with the
> Fetch spec with respect to ping:
>
>   https://github.com/w3c/webappsec/pull/99


Well, we did make a decision[1]. Then Dan questioned the decision[2], I
said "I don't care"[3], and we left it there.

I just checked Gecko, which looks like it doesn't map <a ping> to any
particular directive, but blocks on default-src[4]. I don't think Blink
does any check at all, which is sad[5].

I have zero opinion on this. It sounds like you do have an opinion, which
is great! I'll merge your PR, and if other folks with opinions disagree, we
can unmerge it later. :)

(Sorry I missed your PR in the GitHub sweep I did yesterday. I didn't mean
to ignore it.)

-mike

[1]: https://lists.w3.org/Archives/Public/public-webappsec/2014Feb/0012.html
[2]: https://lists.w3.org/Archives/Public/public-webappsec/2014Nov/0259.html
[3]: https://lists.w3.org/Archives/Public/public-webappsec/2014Nov/0262.html
[4]:
http://lxr.mozilla.org/mozilla-central/source/dom/security/nsCSPUtils.cpp#166
[5]:
https://code.google.com/p/chromium/codesearch#chromium/src/third_party/WebKit/Source/core/loader/PingLoader.cpp&sq=package:chromium&q=PingLoader&l=123

--
Mike West <mkwst@google.com>, @mikewest

Google Germany GmbH, Dienerstrasse 12, 80331 München,
Germany, Registergericht und -nummer: Hamburg, HRB 86891, Sitz der
Gesellschaft: Hamburg, Geschäftsführer: Graham Law, Christine Elizabeth
Flores
(Sorry; I'm legally required to add this exciting detail to emails. Bleh.)

Received on Wednesday, 28 January 2015 08:51:22 UTC