- From: Roger Hågensen <rh_whatwg@skuldwyrm.no>
- Date: Tue, 1 Nov 2016 11:32:48 +0100
- To: whatwg@lists.whatwg.org
On 2016-11-01 10:42, Roger Hågensen wrote: > I was wondering how can a server or script identify if a request is from > page, iframe or xhr? I really hate answering myself (and so soon after making a post) but it seems I have found the answer at https://developer.mozilla.org/en-US/docs/Web/Security/CSP/CSP_policy_directives and the support is pretty good according to http://caniuse.com/#feat=contentsecuritypolicy But on MDN it says "For workers, non-compliant requests are treated as fatal network errors by the user agent." But does this apply to non-workers too? And is there any way to prevent injected hostile scripts? I guess loading scripts from a specific (whitelisted) url could do the trick? Or maybe using strict-dynamic. Darnit it. I may just have answered my own questions here. -- Roger Hågensen, Freelancer, http://skuldwyrm.no/
Received on Tuesday, 1 November 2016 10:33:22 UTC