W3C home > Mailing lists > Public > public-webappsec@w3.org > March 2013

RE: [webappsec] Proposed text for jsonp directives

From: Hill, Brad <bhill@paypal-inc.com>
Date: Wed, 6 Mar 2013 00:22:46 +0000
To: Adam Barth <w3c@adambarth.com>
CC: "public-webappsec@w3.org" <public-webappsec@w3.org>
Message-ID: <370C9BEB4DD6154FA963E2F79ADC6F2E27955097@DEN-EXDDA-S12.corp.ebay.com>
> -----Original Message-----
> From: Adam Barth [mailto:w3c@adambarth.com]
> Sent: Tuesday, March 05, 2013 4:16 PM
> To: Hill, Brad
> Cc: public-webappsec@w3.org
> Subject: Re: [webappsec] Proposed text for jsonp directives
> 
> What's the status of this proposal?
> 
> Adam
>

Proposed.  ;)

I haven't received any comments on or expressions of interest in this since I posted it.  Forgot to put it on the agenda last call.

Twitter folks - I wrote this up based specifically on a conversation with your security team about two years ago. (though I independently think it's still a good idea)  

I've re-attached the proposal.  Are you (or others) still interested in a CSP-safe way to call JSONP APIs?

-Brad

> 
> On Fri, Jan 11, 2013 at 5:48 PM, Hill, Brad <bhill@paypal-inc.com> wrote:
> > Per ACTION-98 assigned to me, attached find a draft of proposed text for
> two directives related to JSONP calls.  These directives would allow a
> protected resource to call legacy JSONP APIs using the src attribute of a script
> element, but constrain the execution to a safe, CORS-equivalent model.
> >
> > Feedback appreciated.
> >
> > Brad Hill
> >


Received on Wednesday, 6 March 2013 00:23:18 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 14:54:00 UTC