Re: [CSP] may we have script-ancestors to protect JSONP call

We discussed this at TPAC and decided to leave it open as a possible
direction for CSP Level 3 or other work to happen under our new

Minutes of the discussion are available here:

And this is tracked by ISSUE-71:

-Brad Hill

On Mon, Sep 1, 2014 at 2:17 AM, Anne van Kesteren <> wrote:
> On Thu, Aug 28, 2014 at 7:36 AM, Hatter Jiang OWS
> <> wrote:
>> As far as I know, CORS used for XHR, If user's browser does not support
>> CORS, then we also have implement JSONP.
>> But if CSP support this, will help website and user improve security, and by
>> using report-uri, website can know if that cause an attack(at least the
>> modern browser will report this).
> Try to switch to CORS. JSONP is a bad programming model even if you
> solve this. What you seem to want is something like
> which died a quick death last time
> around.
> --

Received on Tuesday, 4 November 2014 23:18:14 UTC