Skip to content

CSP Request Header and CORS preflight fetch. #52

New issue
New issue
Closed
Closed
CSP Request Header and CORS preflight fetch.#52
Labels
needsinfo

Description

Image for: Description
horo-t
opened on May 15, 2015

According to the CSP spec
https://w3c.github.io/webappsec/specs/content-security-policy/#csp-request-header

If the user agent monitors or enforces a policy that contains a directive that contains a source list, then the user agent MUST set a CSP Request Header when requesting cross-origin resources, as described in §3.4 The CSP HTTP Request Header.

But "CSP" is not a simple header
https://fetch.spec.whatwg.org/#simple-header

A simple header is a header whose name is either one of Accept, Accept-Language, and Content-Language, or whose name is Content-Type and value, once parsed, has a MIME type (ignoring parameters) that is one of application/x-www-form-urlencoded, multipart/form-data, and text/plain.

So when the user agent requests a cross-origin resource which CSP is set, it must send a CORS preflight fetch.

This means when we use CSP, we can't use CDN which doesn't support CORS preflight.

Is this my understanding correct?

Metadata

Image for: Metadata

Metadata

Image for: Metadata

Assignees

No one assigned

    Labels

    needsinfo

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions

    Image for: Issue actions