Re: Remove paths from CSP?

To clarify.

If anyone whitelists www.google.com then they will whitelist

<script src="
https://www.google.com/news/feed?output=jsonp&callback=document.forms[0].elements[3].click
">

Which if done in sequence can be used to click all buttons in the UI, and
do XSS-like attacks.

We called this attack reverse clickjacking :-P

Received on Wednesday, 12 February 2014 09:00:18 UTC