W3C home > Mailing lists > Public > whatwg@whatwg.org > November 2016

Re: [whatwg] How can a server or serverside script identify if a request is from a page, iframe or xhr?

From: Roger Hågensen <rh_whatwg@skuldwyrm.no>
Date: Tue, 1 Nov 2016 11:36:02 +0100
To: whatwg@lists.whatwg.org
Message-ID: <7c99fe77-a84d-b6f1-0334-34ea20b05384@skuldwyrm.no>
On 2016-11-01 11:26, Michael A. Peters wrote:
> Any server admin that trusts a header sent by a client for security
> purposes is a fool. They lie, and any browser extension or plugin can
> influence what headers are sent and what they contain.

Wait, are you saying that ContentSecurityPolicy can't be relied upon?
(regarding me finding CSP see my answer to myself in another message)

Roger Hågensen, Freelancer, http://skuldwyrm.no/
Received on Tuesday, 1 November 2016 10:36:34 UTC

This archive was generated by hypermail 2.4.0 : Wednesday, 22 January 2020 17:00:40 UTC