- From: Michal Zalewski <lcamtuf@coredump.cx>
- Date: Wed, 2 May 2012 12:39:47 -0700
- To: "Hill, Brad" <bhill@paypal-inc.com>
- Cc: "public-webappsec@w3.org" <public-webappsec@w3.org>
The proposed approach also doesn't solve the problem of JSONP APIs
being present in one of the already whitelisted origins. For example,
if I permit scripts from maps.google.com or api.twitter.com, I don't
want an XSS vector to be leverage their JSONP interfaces to execute
scripts.
I think this is more elegantly solved by allowing full URL or possibly
path scoping as an alternative to origin scoping for existing CSP
directives.
Also, isn't the assumption about JSONP format a bit optimistic? In
particular, some JSONP APIs include comments or whitespaces at the
beginning (for example to thwart MSIE HTML sniffing behavior). There
are also some APIs that do something like:
var_name = { JSON }
...or:
fn_name([...serialized array...])
...or:
fn_name({...JSON...}, ...something_else)
/mz
Received on Wednesday, 2 May 2012 19:40:40 UTC