On Nov 21, 6:50 pm, Lucas Adamski <[EMAIL PROTECTED]> wrote: > >>> (3) Currently the spec focuses on the "host items" -- has any thought > >>> be given to allowing CSP to extend to sites being referenced by "host > >>> items"? That is, allowing a site to specify that it can't be embedded > >>> on another site via frame or object, etc? I imagine it would be > >>> similar to the Access Control for XS-XHR[2]. > >> I would agree with Gerv, that this feels a bit out of scope for this > >> particular proposal. > > > Then maybe something to consider down the road. It would be useful to > > prevent hot linking and clickjacking > > . > > I think the primary reason this seems out of scope is that CSP is a > mechanism for servers to govern their own content, rather than > specifying policies for 3rd party content. The latter seems more like > the domain of Access Control. Access Control AFAIK is not intended just > for XHR2, so I could image it being extended to govern opt-out of > cross-domain content loading, as well as to opt-in.
I was thinking Access Control was close, but it currently has this as its abstract: ----- This document defines a mechanism to enable client-side cross-site requests. Specifications that want to enable cross-site requests in an API they define can use the algorithms defined by this specification. If such an API is used on http://example.org resources, a resource on http://hello-world.example can opt in using the mechanism described by this specification (e.g., specifying Access-Control-Allow-Origin: http://example.org as response header), which would allow that resource to be fetched cross-site from http://example.org. ----- That to me means it's geared strictly for XHR, but maybe "cross-site requests" is suppose to include any type of cross-site request, including img, script, object, etc. I agree though, Access Control seems like a better fit for this type of functionality. I'll approach Anne and see what he thinks. Thanks for the reply, - Bil _______________________________________________ dev-security mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security
