- From: Michal Zalewski <lcamtuf@coredump.cx>
- Date: Mon, 30 Jun 2014 16:10:47 -0700
- To: pamela fox <pamela.fox@gmail.com>
- Cc: Mike West <mkwst@google.com>, "public-webappsec@w3.org" <public-webappsec@w3.org>
> The concerning aspect of this is that it can be used for something like > phishing attacks, to solicit and store user info. So as I understand it, you're not trying to prevent phishing as such, but want to prevent the exfiltration of data by making an outgoing request? I'm not sure this is something that CSP really solves (I think the early Mozilla drafts might have aimed for something along these lines). For most part, CSP doesn't really prevent already-running JavaScript from using window.postMessage() to relay the data to another window, etc.
Received on Monday, 30 June 2014 23:11:37 UTC