- From: Mike West <mkwst@google.com>
- Date: Wed, 28 Jan 2015 09:50:33 +0100
- To: Francois Marier <francois@mozilla.com>
- Cc: "public-webappsec@w3.org" <public-webappsec@w3.org>
- Message-ID: <CAKXHy=eaZMh=fw8HXbxe9h=X2uYjDYQcWKw_b5z0R-xnBtv6qg@mail.gmail.com>
On Wed, Jan 28, 2015 at 1:56 AM, Francois Marier <francois@mozilla.com> wrote: > On 28/01/15 04:42, Mike West wrote: > > Are there other issues which I've missed, or insufficiently addressed? > > It would be good to make a decision on whether or not to sync with the > Fetch spec with respect to ping: > > https://github.com/w3c/webappsec/pull/99 Well, we did make a decision[1]. Then Dan questioned the decision[2], I said "I don't care"[3], and we left it there. I just checked Gecko, which looks like it doesn't map <a ping> to any particular directive, but blocks on default-src[4]. I don't think Blink does any check at all, which is sad[5]. I have zero opinion on this. It sounds like you do have an opinion, which is great! I'll merge your PR, and if other folks with opinions disagree, we can unmerge it later. :) (Sorry I missed your PR in the GitHub sweep I did yesterday. I didn't mean to ignore it.) -mike [1]: https://lists.w3.org/Archives/Public/public-webappsec/2014Feb/0012.html [2]: https://lists.w3.org/Archives/Public/public-webappsec/2014Nov/0259.html [3]: https://lists.w3.org/Archives/Public/public-webappsec/2014Nov/0262.html [4]: http://lxr.mozilla.org/mozilla-central/source/dom/security/nsCSPUtils.cpp#166 [5]: https://code.google.com/p/chromium/codesearch#chromium/src/third_party/WebKit/Source/core/loader/PingLoader.cpp&sq=package:chromium&q=PingLoader&l=123 -- Mike West <mkwst@google.com>, @mikewest Google Germany GmbH, Dienerstrasse 12, 80331 München, Germany, Registergericht und -nummer: Hamburg, HRB 86891, Sitz der Gesellschaft: Hamburg, Geschäftsführer: Graham Law, Christine Elizabeth Flores (Sorry; I'm legally required to add this exciting detail to emails. Bleh.)
Received on Wednesday, 28 January 2015 08:51:22 UTC