W3C home > Mailing lists > Public > public-webappsec@w3.org > February 2014

Re: Remove paths from CSP?

From: Anne van Kesteren <annevk@annevk.nl>
Date: Wed, 12 Feb 2014 10:40:20 +0000
Message-ID: <CADnb78hBcm8w=LN7r0B_mtSDtgDGZ+JcV2SEnwZWXeUccHS9Hw@mail.gmail.com>
To: Mike West <mkwst@google.com>
Cc: Michal Zalewski <lcamtuf@google.com>, "Eduardo' Vela" <evn@google.com>, Brad Hill <bhill@paypal-inc.com>, Odin Hørthe Omdal <odinho@opera.com>, "public-webappsec@w3.org" <public-webappsec@w3.org>, Adam Barth <w3c@adambarth.com>, Garrett Robinson <grobinson@mozilla.com>, Daniel Veditz <dveditz@mozilla.com> 
On Wed, Feb 12, 2014 at 10:21 AM, Mike West <mkwst@google.com> wrote:
> Happily, I'm not on Google's infra security team, so I can suggest that
> Google should be more careful about a) scoping APIs to origins, and b) not
> allowing arbitrary callbacks, while remaining blissfully unaware of the work
> that would be involved in doing so. :)

Given CORS using JSONP seems bad. Are there still too many legacy user agents?


-- 
http://annevankesteren.nl/
Received on Wednesday, 12 February 2014 10:40:46 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 18:54:37 UTC