W3C home > Mailing lists > Public > public-webappsec@w3.org > November 2014

Re: [CSP] may we have script-ancestors to protect JSONP call

From: Brad Hill <hillbrad@gmail.com>
Date: Tue, 4 Nov 2014 15:17:47 -0800
Message-ID: <CAEeYn8gDd_+otEv7z3NpJsq-jp0gnMBNFgeXTD=7UAixMFKx0g@mail.gmail.com>
To: Anne van Kesteren <annevk@annevk.nl>
Cc: Hatter Jiang OWS <hatter@openwebsecurity.org>, Devdatta Akhawe <dev.akhawe@gmail.com>, "public-webappsec@w3.org" <public-webappsec@w3.org>
We discussed this at TPAC and decided to leave it open as a possible
direction for CSP Level 3 or other work to happen under our new
charter.

Minutes of the discussion are available here:

http://www.w3.org/2014/10/27-webappsec-minutes.html#item12

And this is tracked by ISSUE-71:

https://www.w3.org/2011/webappsec/track/issues/71

-Brad Hill

On Mon, Sep 1, 2014 at 2:17 AM, Anne van Kesteren <annevk@annevk.nl> wrote:
> On Thu, Aug 28, 2014 at 7:36 AM, Hatter Jiang OWS
> <hatter@openwebsecurity.org> wrote:
>> As far as I know, CORS used for XHR, If user's browser does not support
>> CORS, then we also have implement JSONP.
>>
>> But if CSP support this, will help website and user improve security, and by
>> using report-uri, website can know if that cause an attack(at least the
>> modern browser will report this).
>
> Try to switch to CORS. JSONP is a bad programming model even if you
> solve this. What you seem to want is something like
> http://www.w3.org/TR/from-origin/ which died a quick death last time
> around.
>
>
> --
> http://annevankesteren.nl/
>
Received on Tuesday, 4 November 2014 23:18:14 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 14:54:07 UTC