Re: [CSP] may we have script-ancestors to protect JSONP call

On Thu, Aug 28, 2014 at 7:36 AM, Hatter Jiang OWS
<hatter@openwebsecurity.org> wrote:
> As far as I know, CORS used for XHR, If user's browser does not support
> CORS, then we also have implement JSONP.
>
> But if CSP support this, will help website and user improve security, and by
> using report-uri, website can know if that cause an attack(at least the
> modern browser will report this).

Try to switch to CORS. JSONP is a bad programming model even if you
solve this. What you seem to want is something like
http://www.w3.org/TR/from-origin/ which died a quick death last time
around.


-- 
http://annevankesteren.nl/

Received on Monday, 1 September 2014 09:17:56 UTC