Re: CSP and PostMessage? from gaz Heyes on 2011-12-19 (public-web-security@w3.org from December 2011)

From: gaz Heyes <gazheyes@gmail.com>
Date: Mon, 19 Dec 2011 08:44:18 +0000
To: Daniel Veditz <dveditz@mozilla.com>
Cc: Devdatta Akhawe <dev.akhawe@gmail.com>, public-web-security@w3.org
Message-ID: <CADJi-imAEZUaJ0vim4XuyQNhwQHFxsb5rszy9=k9dX7FM37ruw@mail.gmail.com>

On 19 December 2011 06:01, Daniel Veditz <dveditz@mozilla.com> wrote:

> On 12/15/11 3:05 PM, Devdatta Akhawe wrote:
> > Has a post-message-src directive being considered? From the
> > introduction in the specification:
>
> I don't recall any discussions about it. Since postMessage() can
> already be used safely I'm not feeling a burning need for it, but
> maybe you can convince us.
>

There is no way to prevent an outgoing request, you can check the incoming
request and ensure it was from the domain you intended but an attacker
controlled postMessage request can be sent to any external domain so I
think it would be useful to have control over it in CSP.

Received on Monday, 19 December 2011 08:44:54 UTC