W3C home > Mailing lists > Public > public-webappsec@w3.org > June 2012

Re: Proposal to remove the 'frame-action' directive from CSP 1.1

From: Mike West <mkwst@google.com>
Date: Mon, 11 Jun 2012 19:22:07 +0200
Message-ID: <CAKXHy=eL9qJHe45aCskqY=t=XpVUSs1zO74Y4GndSxMQTHT6Ug@mail.gmail.com>
To: Adam Barth <w3c@adambarth.com>
Cc: Eric Chen <eric.chen@sv.cmu.edu>, public-webappsec@w3.org, Collin Jackson <collin.jackson@sv.cmu.edu>, Sergey G <serezhka79@gmail.com>
On Mon, Jun 11, 2012 at 7:12 PM, Adam Barth <w3c@adambarth.com> wrote:

> What about form-action 'none'.  Is that still useful?
>
> Also, you might expect that web sites that implement CSP are more
> interested in security and therefore more likely to be part of the 60%
> that protect themselves from CSRF.
>

I'd also note that combining `form-action` with the proposal for more
granular (directory level) sources would make the directive more effective
than the paper presupposes. Authors would have the ability to lock a page
down to submitting forms to specific recipients on their own origin, which
would be a fairly powerful defense.

-mike
Received on Monday, 11 June 2012 17:22:58 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Monday, 11 June 2012 17:22:58 GMT