W3C home > Mailing lists > Public > public-web-security@w3.org > December 2011

CSP and PostMessage?

From: Devdatta Akhawe <dev.akhawe@gmail.com>
Date: Thu, 15 Dec 2011 15:05:27 -0800
Message-ID: <CAPfop_2iL99_48fvcdwmtBaDJnYn_EC6ihrKpb7axqVs9nt4vw@mail.gmail.com>
To: public-web-security@w3.org
Hi

Has a post-message-src directive being considered? From the
introduction in the specification:

"Content Security Policy is a declarative policy that lets the authors
(or server administrators) of a web application restrict from where
the application can load resources."

If the goal is to restrict WHERE data comes from, then the ability to
restrict message sources to be particular origins is in scope.
Additionally, this would be tremendously useful over the current style
of "check origin for every postMessage event".

shameless plug: We have found real vulnerabilities in the past with
this and had suggested using CSP (
http://www.cs.berkeley.edu/~devdatta/papers/w2sp10-primitives.pdf )



thanks
Devdatta
Received on Friday, 16 December 2011 00:51:37 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Friday, 16 December 2011 00:51:38 GMT