Re: [whatwg] How can a server or serverside script identify if a request is from a page, iframe or xhr?

On 2016-11-01 11:26, Michael A. Peters wrote:
> Any server admin that trusts a header sent by a client for security
> purposes is a fool. They lie, and any browser extension or plugin can
> influence what headers are sent and what they contain.

Wait, are you saying that ContentSecurityPolicy can't be relied upon?
(regarding me finding CSP see my answer to myself in another message)



-- 
Roger Hågensen, Freelancer, http://skuldwyrm.no/

Received on Tuesday, 1 November 2016 10:36:34 UTC