- From: Michal Zalewski <lcamtuf@coredump.cx>
- Date: Mon, 19 Dec 2011 01:17:58 -0800
- To: gaz Heyes <gazheyes@gmail.com>
- Cc: Daniel Veditz <dveditz@mozilla.com>, Devdatta Akhawe <dev.akhawe@gmail.com>, public-web-security@w3.org
> There is no way to prevent an outgoing request, you can check the incoming > request and ensure it was from the domain you intended but an attacker > controlled postMessage request can be sent to any external domain so I think > it would be useful to have control over it in CSP. I suspect that it's not the focus of CSP to prevent scripts already running on the page from talking to cooperating scripts in other origins? If the goal of CSP is to prevent post-script-execution data exfiltration, then I'm not sure how that could be attained without making some sweeping changes. I can just as well use location.hash, window.name, or a plethora of other client-side channels. /mz
Received on Monday, 19 December 2011 09:18:56 UTC