W3C home > Mailing lists > Public > public-web-security@w3.org > December 2011

Re: CSP and PostMessage?

From: gaz Heyes <gazheyes@gmail.com>
Date: Mon, 19 Dec 2011 08:44:18 +0000
Message-ID: <CADJi-imAEZUaJ0vim4XuyQNhwQHFxsb5rszy9=k9dX7FM37ruw@mail.gmail.com>
To: Daniel Veditz <dveditz@mozilla.com>
Cc: Devdatta Akhawe <dev.akhawe@gmail.com>, public-web-security@w3.org
On 19 December 2011 06:01, Daniel Veditz <dveditz@mozilla.com> wrote:

> On 12/15/11 3:05 PM, Devdatta Akhawe wrote:
> > Has a post-message-src directive being considered? From the
> > introduction in the specification:
>
> I don't recall any discussions about it. Since postMessage() can
> already be used safely I'm not feeling a burning need for it, but
> maybe you can convince us.
>

There is no way to prevent an outgoing request, you can check the incoming
request and ensure it was from the domain you intended but an attacker
controlled postMessage request can be sent to any external domain so I
think it would be useful to have control over it in CSP.
Received on Monday, 19 December 2011 08:44:54 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Monday, 19 December 2011 08:44:54 GMT