Re: [CSP] may we have script-ancestors to protect JSONP call


Does CORS solve this use case more securely? I understand that CORS is not
available on all browsers, but any browser that might implement the
proposal you mention already supports CORS. I can't imagine a browser
that doesn't support CORS but will support CSP


On 27 August 2014 07:06, Hatter Jiang OWS <> wrote:
> The JSONP call is used more and more on the websites, if the developer offer
> a JSONP call like:
> If you are logged in, the browser will send the cookie to the server, and
> the server may return:
>   ondisplayuserinfo({"username": "Hatter Jiang", "email":
> ""});
> This JSONP can be used by other sites(like
>, and the most browser will allow
> third party cookie by default):
>   <script type="text/javascript">
>     function ondisplayuserinfo(userInfo) {
>        // TODO collect user info here
>     }
>   </script>
>   <script type="text/javascript"
> src=""></script>
> So the JSONP may very unsafe and cause user info leak, we can resolve this
> issue by using CSRF token checking,
> we should add CSRF check at the server side, but it may take a long term to
> resolve it.
> And according referrer-policy (, the
> referer may be not setted,
> so we cannot resolve it simpley by referer checking.
> If CSP can be set like this:
>   script-ancestors: *
> Then the JSONP(actual script) call from will not take effect like
> frame-ancestors's behavior.
> Hatter Jiang

Received on Thursday, 28 August 2014 05:03:27 UTC