Re: Remove paths from CSP?

On Wed, Feb 12, 2014 at 9:59 AM, Eduardo' Vela" <Nava> <>wrote:

> To clarify.
> If anyone whitelists then they will whitelist
> <script src="
> ">
> Which if done in sequence can be used to click all buttons in the UI, and
> do XSS-like attacks.
> We called this attack reverse clickjacking :-P

I agree with you that preserving paths for scripts would be useful. I
disagree that a lack of paths would make CSP unusable for Google, just less

Would limiting paths to 'script-src' and 'style-src' leave the same leakage
potential? I suspect it would, but I'd need to test <script>'s behavior

Mike West <>
Google+:, Twitter: @mikewest, Cell: +49 162 10 255 91

Google Germany GmbH, Dienerstrasse 12, 80331 München, Germany
Registergericht und -nummer: Hamburg, HRB 86891
Sitz der Gesellschaft: Hamburg
Geschäftsführer: Graham Law, Christine Elizabeth Flores
(Sorry; I'm legally required to add this exciting detail to emails. Bleh.)

Received on Wednesday, 12 February 2014 09:50:48 UTC