W3C home > Mailing lists > Public > public-webappsec@w3.org > November 2014

Re: [CSP] may we have script-ancestors to protect JSONP call

From: Brad Hill <hillbrad@gmail.com>
Date: Tue, 4 Nov 2014 15:17:47 -0800
Message-ID: <CAEeYn8gDd_+otEv7z3NpJsq-jp0gnMBNFgeXTD=7UAixMFKx0g@mail.gmail.com>
To: Anne van Kesteren <annevk@annevk.nl>
Cc: Hatter Jiang OWS <hatter@openwebsecurity.org>, Devdatta Akhawe <dev.akhawe@gmail.com>, "public-webappsec@w3.org" <public-webappsec@w3.org>
We discussed this at TPAC and decided to leave it open as a possible
direction for CSP Level 3 or other work to happen under our new

Minutes of the discussion are available here:


And this is tracked by ISSUE-71:


-Brad Hill

On Mon, Sep 1, 2014 at 2:17 AM, Anne van Kesteren <annevk@annevk.nl> wrote:
> On Thu, Aug 28, 2014 at 7:36 AM, Hatter Jiang OWS
> <hatter@openwebsecurity.org> wrote:
>> As far as I know, CORS used for XHR, If user's browser does not support
>> CORS, then we also have implement JSONP.
>> But if CSP support this, will help website and user improve security, and by
>> using report-uri, website can know if that cause an attack(at least the
>> modern browser will report this).
> Try to switch to CORS. JSONP is a bad programming model even if you
> solve this. What you seem to want is something like
> http://www.w3.org/TR/from-origin/ which died a quick death last time
> around.
> --
> http://annevankesteren.nl/
Received on Tuesday, 4 November 2014 23:18:14 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 18:54:42 UTC