Re: CSP and PostMessage?

> There is no way to prevent an outgoing request, you can check the incoming
> request and ensure it was from the domain you intended but an attacker
> controlled postMessage request can be sent to any external domain so I think
> it would be useful to have control over it in CSP.

I suspect that it's not the focus of CSP to prevent scripts already
running on the page from talking to cooperating scripts in other

If the goal of CSP is to prevent post-script-execution data
exfiltration, then I'm not sure how that could be attained without
making some sweeping changes. I can just as well use location.hash,, or a plethora of other client-side channels.


Received on Monday, 19 December 2011 09:18:56 UTC