W3C home > Mailing lists > Public > whatwg@whatwg.org > November 2016

Re: [whatwg] How can a server or serverside script identify if a request is from a page, iframe or xhr?

From: Roger Hågensen <rh_whatwg@skuldwyrm.no>
Date: Tue, 1 Nov 2016 11:32:48 +0100
To: whatwg@lists.whatwg.org
Message-ID: <9d6bfe65-92ec-170c-2849-0e3a6bfb7d8e@skuldwyrm.no>
On 2016-11-01 10:42, Roger Hågensen wrote:
> I was wondering how can a server or script identify if a request is from
> page, iframe or xhr?


I really hate answering myself (and so soon after making a post) but it 
seems I have found the answer at
https://developer.mozilla.org/en-US/docs/Web/Security/CSP/CSP_policy_directives

and the support is pretty good according to
http://caniuse.com/#feat=contentsecuritypolicy


But on MDN it says "For workers, non-compliant requests are treated as 
fatal network errors by the user agent."
But does this apply to non-workers too?

And is there any way to prevent injected hostile scripts?
I guess loading scripts from a specific (whitelisted) url could do the 
trick? Or maybe using strict-dynamic.

Darnit it. I may just have answered my own questions here.


-- 
Roger Hågensen, Freelancer, http://skuldwyrm.no/
Received on Tuesday, 1 November 2016 10:33:22 UTC

This archive was generated by hypermail 2.3.1 : Tuesday, 1 November 2016 10:33:22 UTC