W3C home > Mailing lists > Public > public-webappsec@w3.org > September 2014

Re: [CSP] may we have script-ancestors to protect JSONP call

From: Anne van Kesteren <annevk@annevk.nl>
Date: Mon, 1 Sep 2014 11:17:30 +0200
Message-ID: <CADnb78jtT_79AU1QjOVNrt5QiqYMbqxSYVa-NO5Ek0cL85x6EA@mail.gmail.com>
To: Hatter Jiang OWS <hatter@openwebsecurity.org>
Cc: Devdatta Akhawe <dev.akhawe@gmail.com>, "public-webappsec@w3.org" <public-webappsec@w3.org>
On Thu, Aug 28, 2014 at 7:36 AM, Hatter Jiang OWS
<hatter@openwebsecurity.org> wrote:
> As far as I know, CORS used for XHR, If user's browser does not support
> CORS, then we also have implement JSONP.
>
> But if CSP support this, will help website and user improve security, and by
> using report-uri, website can know if that cause an attack(at least the
> modern browser will report this).

Try to switch to CORS. JSONP is a bad programming model even if you
solve this. What you seem to want is something like
http://www.w3.org/TR/from-origin/ which died a quick death last time
around.


-- 
http://annevankesteren.nl/
Received on Monday, 1 September 2014 09:17:56 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 14:54:06 UTC