Re: CSP and PostMessage? from Daniel Veditz on 2011-12-20 (public-web-security@w3.org from December 2011)

From: Daniel Veditz <dveditz@mozilla.com>
Date: Mon, 19 Dec 2011 16:45:22 -0800
To: sird@rckc.at
CC: Eduardo Vela <sirdarckcat@gmail.com>, gaz Heyes <gazheyes@gmail.com>, Devdatta Akhawe <dev.akhawe@gmail.com>, public-web-security@w3.org
Message-ID: <4EEFDAA2.9070409@mozilla.com>

On 12/19/11 1:01 AM, Eduardo Vela wrote:
> Is data exfiltration still a concern for CSP?
> 
> If not, then why xhr-src is there?

XHR is covered (under the new name 'connect-src' along with
EventSource and WebSockets) because it's a source of data used by
the page.

Received on Tuesday, 20 December 2011 00:46:13 UTC