- From: Anne van Kesteren <annevk@annevk.nl>
- Date: Mon, 1 Sep 2014 11:17:30 +0200
- To: Hatter Jiang OWS <hatter@openwebsecurity.org>
- Cc: Devdatta Akhawe <dev.akhawe@gmail.com>, "public-webappsec@w3.org" <public-webappsec@w3.org>
On Thu, Aug 28, 2014 at 7:36 AM, Hatter Jiang OWS <hatter@openwebsecurity.org> wrote: > As far as I know, CORS used for XHR, If user's browser does not support > CORS, then we also have implement JSONP. > > But if CSP support this, will help website and user improve security, and by > using report-uri, website can know if that cause an attack(at least the > modern browser will report this). Try to switch to CORS. JSONP is a bad programming model even if you solve this. What you seem to want is something like http://www.w3.org/TR/from-origin/ which died a quick death last time around. -- http://annevankesteren.nl/
Received on Monday, 1 September 2014 09:17:56 UTC