Re: CSP and PostMessage? from sird@rckc.at on 2011-12-20 (public-web-security@w3.org from December 2011)

From: <sird@rckc.at>
Date: Mon, 19 Dec 2011 16:48:20 -0800
To: Daniel Veditz <dveditz@mozilla.com>
Cc: gaz Heyes <gazheyes@gmail.com>, Devdatta Akhawe <dev.akhawe@gmail.com>, public-web-security@w3.org
Message-ID: <CACSvzRwcVOjkgB5SgTrxoTXB6QiA_=_gY=UrFcLjP3koRi0Yzg@mail.gmail.com>

Hmm then so as onmessage.

Or the point is that XHR doesn't tell you if the page followed redirects?

-- Eduardo

On Mon, Dec 19, 2011 at 4:45 PM, Daniel Veditz <dveditz@mozilla.com> wrote:

> On 12/19/11 1:01 AM, Eduardo Vela wrote:
> > Is data exfiltration still a concern for CSP?
> >
> > If not, then why xhr-src is there?
>
> XHR is covered (under the new name 'connect-src' along with
> EventSource and WebSockets) because it's a source of data used by
> the page.
>

Received on Tuesday, 20 December 2011 00:49:17 UTC