- From: Brad Hill <hillbrad@gmail.com>
- Date: Tue, 4 Nov 2014 15:17:47 -0800
- To: Anne van Kesteren <annevk@annevk.nl>
- Cc: Hatter Jiang OWS <hatter@openwebsecurity.org>, Devdatta Akhawe <dev.akhawe@gmail.com>, "public-webappsec@w3.org" <public-webappsec@w3.org>
We discussed this at TPAC and decided to leave it open as a possible direction for CSP Level 3 or other work to happen under our new charter. Minutes of the discussion are available here: http://www.w3.org/2014/10/27-webappsec-minutes.html#item12 And this is tracked by ISSUE-71: https://www.w3.org/2011/webappsec/track/issues/71 -Brad Hill On Mon, Sep 1, 2014 at 2:17 AM, Anne van Kesteren <annevk@annevk.nl> wrote: > On Thu, Aug 28, 2014 at 7:36 AM, Hatter Jiang OWS > <hatter@openwebsecurity.org> wrote: >> As far as I know, CORS used for XHR, If user's browser does not support >> CORS, then we also have implement JSONP. >> >> But if CSP support this, will help website and user improve security, and by >> using report-uri, website can know if that cause an attack(at least the >> modern browser will report this). > > Try to switch to CORS. JSONP is a bad programming model even if you > solve this. What you seem to want is something like > http://www.w3.org/TR/from-origin/ which died a quick death last time > around. > > > -- > http://annevankesteren.nl/ >
Received on Tuesday, 4 November 2014 23:18:14 UTC