(In reply to Frederik Braun [:freddy] from comment #6) > We need the CSP before starting any load, actually. Why? What CSP governs a document/docshell load from a CSP-less about:blank to e.g. https://foo.com/, other than whatever foo.com returns over the network? > I don't know how we synthesize a document from session restore. > Are we creating a document from disk without hitting the network again? We'll always hit necko, though necko may serve from cache (including headers). Session restore is only metadata like title, favicon, form inputs, potentially cookies, etc.
Bug 1867137 Comment 7 Edit History
Note: The actual edited comment in the bug view page will always show the original commenter’s name and original timestamp.
(In reply to Frederik Braun [:freddy] from comment #6) > We need the CSP before starting any load, actually. Why? What CSP governs a document/docshell load from a CSP-less about:blank to e.g. https://foo.com/, other than whatever foo.com returns over the network? Edit: put differently, what CSP do we use for a load from the awesomebar? My understanding was "none", but... > I don't know how we synthesize a document from session restore. > Are we creating a document from disk without hitting the network again? We'll always hit necko, though necko may serve from cache (including headers). Session restore is only metadata like title, favicon, form inputs, potentially cookies, etc.