Re: CSP and PostMessage? from Eduardo Vela on 2011-12-19 (public-web-security@w3.org from December 2011)

From: Eduardo Vela <sirdarckcat@gmail.com>
Date: Mon, 19 Dec 2011 01:01:14 -0800
To: gaz Heyes <gazheyes@gmail.com>
Cc: Devdatta Akhawe <dev.akhawe@gmail.com>, Daniel Veditz <dveditz@mozilla.com>, public-web-security@w3.org
Message-ID: <CACSvzRyM3QOxdWQ3uzJ=_nJ4653CQUp2sf7VbBg_=nyAk1eHcQ@mail.gmail.com>

Is data exfiltration still a concern for CSP?

If not, then why xhr-src is there?

I'm not sure about this, but it kinda makes sense...
On Dec 19, 2011 2:45 AM, "gaz Heyes" <gazheyes@gmail.com> wrote:

> On 19 December 2011 06:01, Daniel Veditz <dveditz@mozilla.com> wrote:
>
>> On 12/15/11 3:05 PM, Devdatta Akhawe wrote:
>> > Has a post-message-src directive being considered? From the
>> > introduction in the specification:
>>
>> I don't recall any discussions about it. Since postMessage() can
>> already be used safely I'm not feeling a burning need for it, but
>> maybe you can convince us.
>>
>
> There is no way to prevent an outgoing request, you can check the incoming
> request and ensure it was from the domain you intended but an attacker
> controlled postMessage request can be sent to any external domain so I
> think it would be useful to have control over it in CSP.
>

Received on Monday, 19 December 2011 10:37:29 UTC