-
Notifications
You must be signed in to change notification settings - Fork 323
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add preload
and prerender
contexts
#36
Comments
It seems they should be governed by CSP somehow, otherwise you can "escape the page" without performing navigation. (Unless these are same-origin restricted?) |
Also, to be clear, that big table is informative and not normative about what CSP will do. CSP will be rewritten in terms of Fetch in due course and then this should be a lot clearer. |
Closing this. CSP alignment will come when @mikewest fixes CSP to use Fetch. |
@annevk sorry missed the earlier commit. Thanks for adding preload/prerender! One gotcha that I was reminded after opening this bug: connect-src is not the right policy for preload. See: w3c/preload#17 (comment)... We should probably leave it as empty for now, at least until we resolve our "as" exploration. |
Done. |
thanks! |
Current list of contexts contains
prefetch
but omitsprerender
andpreload
, which need to be added to the list. I'm thinking...preload
->connect-src
(see (WIP) Remove loadpolicy attribute w3c/preload#17 (comment))prefetch
-> no CSP policy? Is there a reason? Should it beconnect-src
as well?prerender
-> intuitively, seems that it should be the same asprefetch
./cc @yoavweiss @mikewest
The text was updated successfully, but these errors were encountered: