- From: Anne van Kesteren <annevk@annevk.nl>
- Date: Wed, 17 Jul 2013 11:50:04 -0700
- To: Mike West <mkwst@google.com>
- Cc: "public-webappsec@w3.org" <public-webappsec@w3.org>
On Wed, Jul 17, 2013 at 10:36 AM, Mike West <mkwst@google.com> wrote: > On Wed, Jul 17, 2013 at 7:04 PM, Anne van Kesteren <annevk@annevk.nl> wrote: >> Isn't frame-src closer? > > Might be, yes. `connect-src` seemed more apt, since prefetching is invisible > to the user in ways that frames generally aren't, but I'm not strongly tied > to either. My rationale for frame-src is that preloading would execute scripts, whereas doing an XMLHttpRequest or EventSource would not. >> How is this not frame-src? Or is this about top-level? What's the >> scenario there? > > The scenario is injection causing automagical top-level navigation. That's > why `script-src 'unsafe-inline'` seems like a quasi-decent fit, and why > `frame-src` doesn't seem relevant enough. *shrug* I meant the attack scenario. If it's a top-level navigation there's no same-origin concern. There would be if it happened inside an <iframe>. Navigating the user to a data URL or a different domain over http seems about the same... -- http://annevankesteren.nl/
Received on Wednesday, 17 July 2013 18:50:30 UTC