- From: Michal Zalewski <lcamtuf@coredump.cx>
- Date: Wed, 2 May 2012 12:39:47 -0700
- To: "Hill, Brad" <bhill@paypal-inc.com>
- Cc: "public-webappsec@w3.org" <public-webappsec@w3.org>
The proposed approach also doesn't solve the problem of JSONP APIs being present in one of the already whitelisted origins. For example, if I permit scripts from maps.google.com or api.twitter.com, I don't want an XSS vector to be leverage their JSONP interfaces to execute scripts. I think this is more elegantly solved by allowing full URL or possibly path scoping as an alternative to origin scoping for existing CSP directives. Also, isn't the assumption about JSONP format a bit optimistic? In particular, some JSONP APIs include comments or whitespaces at the beginning (for example to thwart MSIE HTML sniffing behavior). There are also some APIs that do something like: var_name = { JSON } ...or: fn_name([...serialized array...]) ...or: fn_name({...JSON...}, ...something_else) /mz
Received on Wednesday, 2 May 2012 19:40:40 UTC