Re: Proposal to remove the 'frame-action' directive from CSP 1.1

On Mon, Jun 11, 2012 at 7:12 PM, Adam Barth <w3c@adambarth.com> wrote:

> What about form-action 'none'.  Is that still useful?
>
> Also, you might expect that web sites that implement CSP are more
> interested in security and therefore more likely to be part of the 60%
> that protect themselves from CSRF.
>

I'd also note that combining `form-action` with the proposal for more
granular (directory level) sources would make the directive more effective
than the paper presupposes. Authors would have the ability to lock a page
down to submitting forms to specific recipients on their own origin, which
would be a fairly powerful defense.

-mike

Received on Monday, 11 June 2012 17:22:58 UTC