RE: [webappsec] Proposed text for jsonp directives from Hill, Brad on 2013-03-06 (public-webappsec@w3.org from March 2013)

From: Hill, Brad <bhill@paypal-inc.com>
Date: Wed, 6 Mar 2013 00:22:46 +0000
To: Adam Barth <w3c@adambarth.com>
CC: "public-webappsec@w3.org" <public-webappsec@w3.org>
Message-ID: <370C9BEB4DD6154FA963E2F79ADC6F2E27955097@DEN-EXDDA-S12.corp.ebay.com>

> -----Original Message-----
> From: Adam Barth [mailto:w3c@adambarth.com]
> Sent: Tuesday, March 05, 2013 4:16 PM
> To: Hill, Brad
> Cc: public-webappsec@w3.org
> Subject: Re: [webappsec] Proposed text for jsonp directives
> 
> What's the status of this proposal?
> 
> Adam
>

Proposed.  ;)

I haven't received any comments on or expressions of interest in this since I posted it.  Forgot to put it on the agenda last call.

Twitter folks - I wrote this up based specifically on a conversation with your security team about two years ago. (though I independently think it's still a good idea)  

I've re-attached the proposal.  Are you (or others) still interested in a CSP-safe way to call JSONP APIs?

-Brad

> 
> On Fri, Jan 11, 2013 at 5:48 PM, Hill, Brad <bhill@paypal-inc.com> wrote:
> > Per ACTION-98 assigned to me, attached find a draft of proposed text for
> two directives related to JSONP calls.  These directives would allow a
> protected resource to call legacy JSONP APIs using the src attribute of a script
> element, but constrain the execution to a safe, CORS-equivalent model.
> >
> > Feedback appreciated.
> >
> > Brad Hill
> >

Attachments

text/html attachment: JSONPDirectiveStrawman.html

Received on Wednesday, 6 March 2013 00:23:18 UTC