Add preload and prerender contexts
#36
Comments
1 task
|
It seems they should be governed by CSP somehow, otherwise you can "escape the page" without performing navigation. (Unless these are same-origin restricted?) |
|
Also, to be clear, that big table is informative and not normative about what CSP will do. CSP will be rewritten in terms of Fetch in due course and then this should be a lot clearer. |
annevk
added a commit
that referenced
this issue
Apr 4, 2015
|
Closing this. CSP alignment will come when @mikewest fixes CSP to use Fetch. |
|
@annevk sorry missed the earlier commit. Thanks for adding preload/prerender! One gotcha that I was reminded after opening this bug: connect-src is not the right policy for preload. See: w3c/preload#17 (comment)... We should probably leave it as empty for now, at least until we resolve our "as" exploration. |
annevk
added a commit
that referenced
this issue
May 5, 2015
|
Done. |
|
thanks! |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Current list of contexts contains
prefetchbut omitsprerenderandpreload, which need to be added to the list. I'm thinking...preload->connect-src(see (WIP) Remove loadpolicy attribute w3c/preload#17 (comment))prefetch-> no CSP policy? Is there a reason? Should it beconnect-srcas well?prerender-> intuitively, seems that it should be the same asprefetch./cc @yoavweiss @mikewest
The text was updated successfully, but these errors were encountered: