- From: Devdatta Akhawe <dev.akhawe@gmail.com>
- Date: Thu, 15 Dec 2011 15:05:27 -0800
- To: public-web-security@w3.org
Hi Has a post-message-src directive being considered? From the introduction in the specification: "Content Security Policy is a declarative policy that lets the authors (or server administrators) of a web application restrict from where the application can load resources." If the goal is to restrict WHERE data comes from, then the ability to restrict message sources to be particular origins is in scope. Additionally, this would be tremendously useful over the current style of "check origin for every postMessage event". shameless plug: We have found real vulnerabilities in the past with this and had suggested using CSP ( http://www.cs.berkeley.edu/~devdatta/papers/w2sp10-primitives.pdf ) thanks Devdatta
Received on Friday, 16 December 2011 00:51:37 UTC