- From: Hill, Brad <bhill@paypal-inc.com>
- Date: Thu, 1 Sep 2011 12:24:15 -0600
- To: Michal Zalewski <lcamtuf@coredump.cx>
- CC: Daniel Veditz <dveditz@mozilla.com>, Adam Barth <w3c@adambarth.com>, "sird@rckc.at" <sird@rckc.at>, "public-web-security@w3.org" <public-web-security@w3.org>
> Possibly, but what effect would it realistically have at this point? > > /mz 1) JSONP is a very common pattern 2) Popular JSONP feeds are likely to also have lots of other JS at their origin (e.g. google) 3) Therefore, allowing webapps to safely consume JSONP without also accepting all other script content from the origin is important exactly to the extent that origin-granularity attack surface is a genuine problem with CSP (and it seems it is)
Received on Thursday, 1 September 2011 18:24:45 UTC