- From: Anne van Kesteren <annevk@annevk.nl>
- Date: Wed, 6 Aug 2014 11:44:09 +0200
- To: David Ross <drx@google.com>
- Cc: WebAppSec WG <public-webappsec@w3.org>
On Tue, Aug 5, 2014 at 8:48 PM, David Ross <drx@google.com> wrote: > I've been working on a project to address XSRF and reflected XSS by enabling > web apps to regulate their entry points. > > Blog with more details: > http://randomdross.blogspot.com/2014/08/entry-point-regulation-for-web-apps.html > > Code for a Chrome extension implementing EPR: > https://github.com/google/epr > > Mike West and I have been talking about spec'ing this out with hooks for CSP > and Fetch. It would be great to get any comments and feedback from the > webappsec list! Should this become part of the manifest format under development? Also, how does this relate to suborigins? A suborigin seems like it might be a more robust way of creating a silo on an origin as it does not rely on external metadata. I guess you don't get the granularity there... -- http://annevankesteren.nl/
Received on Wednesday, 6 August 2014 09:44:36 UTC