RE: [webappsec] Proposed text for jsonp directives

> -----Original Message-----
> From: Adam Barth [mailto:w3c@adambarth.com]
> Sent: Tuesday, March 05, 2013 4:16 PM
> To: Hill, Brad
> Cc: public-webappsec@w3.org
> Subject: Re: [webappsec] Proposed text for jsonp directives
> 
> What's the status of this proposal?
> 
> Adam
>

Proposed.  ;)

I haven't received any comments on or expressions of interest in this since I posted it.  Forgot to put it on the agenda last call.

Twitter folks - I wrote this up based specifically on a conversation with your security team about two years ago. (though I independently think it's still a good idea)  

I've re-attached the proposal.  Are you (or others) still interested in a CSP-safe way to call JSONP APIs?

-Brad

> 
> On Fri, Jan 11, 2013 at 5:48 PM, Hill, Brad <bhill@paypal-inc.com> wrote:
> > Per ACTION-98 assigned to me, attached find a draft of proposed text for
> two directives related to JSONP calls.  These directives would allow a
> protected resource to call legacy JSONP APIs using the src attribute of a script
> element, but constrain the execution to a safe, CORS-equivalent model.
> >
> > Feedback appreciated.
> >
> > Brad Hill
> >

Received on Wednesday, 6 March 2013 00:23:18 UTC