Re: CSP and PostMessage?

On 12/19/11 1:01 AM, Eduardo Vela wrote:
> Is data exfiltration still a concern for CSP?
> 
> If not, then why xhr-src is there?

XHR is covered (under the new name 'connect-src' along with
EventSource and WebSockets) because it's a source of data used by
the page.

Received on Tuesday, 20 December 2011 00:46:13 UTC