W3C home > Mailing lists > Public > public-web-security@w3.org > December 2011

Re: CSP and PostMessage?

From: Daniel Veditz <dveditz@mozilla.com>
Date: Sun, 18 Dec 2011 22:01:53 -0800
Message-ID: <4EEED351.6010409@mozilla.com>
To: Devdatta Akhawe <dev.akhawe@gmail.com>
CC: public-web-security@w3.org
On 12/15/11 3:05 PM, Devdatta Akhawe wrote:
> Has a post-message-src directive being considered? From the
> introduction in the specification:

I don't recall any discussions about it. Since postMessage() can
already be used safely I'm not feeling a burning need for it, but
maybe you can convince us.

If developers aren't remembering to use the security features that
already exist would they think to add it to a content security policy?

Naming quibble, -src seems ambiguous to me in this context (source
of the message? source of the frame to which you're posting?).
post-message-from might be clearer, but then it cries out for the
corresponding post-message-to.

-Dan Veditz
Received on Monday, 19 December 2011 06:02:30 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Monday, 19 December 2011 06:02:30 GMT