W3C home > Mailing lists > Public > public-web-security@w3.org > December 2011

Re: CSP and PostMessage?

From: <sird@rckc.at>
Date: Mon, 19 Dec 2011 16:48:20 -0800
Message-ID: <CACSvzRwcVOjkgB5SgTrxoTXB6QiA_=_gY=UrFcLjP3koRi0Yzg@mail.gmail.com>
To: Daniel Veditz <dveditz@mozilla.com>
Cc: gaz Heyes <gazheyes@gmail.com>, Devdatta Akhawe <dev.akhawe@gmail.com>, public-web-security@w3.org
Hmm then so as onmessage.

Or the point is that XHR doesn't tell you if the page followed redirects?

-- Eduardo



On Mon, Dec 19, 2011 at 4:45 PM, Daniel Veditz <dveditz@mozilla.com> wrote:

> On 12/19/11 1:01 AM, Eduardo Vela wrote:
> > Is data exfiltration still a concern for CSP?
> >
> > If not, then why xhr-src is there?
>
> XHR is covered (under the new name 'connect-src' along with
> EventSource and WebSockets) because it's a source of data used by
> the page.
>
Received on Tuesday, 20 December 2011 00:49:17 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Tuesday, 20 December 2011 00:49:17 GMT