Yes, my understanding is that Access Control is actually intended as a generic cross-site server policy mechanism, and XHR is just its first implementation. Thanks, Lucas.
Bil Corry wrote: > On Nov 21, 6:50 pm, Lucas Adamski <[EMAIL PROTECTED]> wrote: >>>>> (3) Currently the spec focuses on the "host items" -- has any thought >>>>> be given to allowing CSP to extend to sites being referenced by "host >>>>> items"? That is, allowing a site to specify that it can't be embedded >>>>> on another site via frame or object, etc? I imagine it would be >>>>> similar to the Access Control for XS-XHR[2]. >>>> I would agree with Gerv, that this feels a bit out of scope for this >>>> particular proposal. >>> Then maybe something to consider down the road. It would be useful to >>> prevent hot linking and clickjacking >>> . >> I think the primary reason this seems out of scope is that CSP is a >> mechanism for servers to govern their own content, rather than >> specifying policies for 3rd party content. The latter seems more like >> the domain of Access Control. Access Control AFAIK is not intended just >> for XHR2, so I could image it being extended to govern opt-out of >> cross-domain content loading, as well as to opt-in. > > I was thinking Access Control was close, but it currently has this as > its abstract: > > ----- > This document defines a mechanism to enable client-side cross-site > requests. Specifications that want to enable cross-site requests in an > API they define can use the algorithms defined by this specification. > If such an API is used on http://example.org resources, a resource on > http://hello-world.example can opt in using the mechanism described by > this specification (e.g., specifying Access-Control-Allow-Origin: > http://example.org as response header), which would allow that > resource to be fetched cross-site from http://example.org. > ----- > > That to me means it's geared strictly for XHR, but maybe "cross-site > requests" is suppose to include any type of cross-site request, > including img, script, object, etc. > > I agree though, Access Control seems like a better fit for this type > of functionality. I'll approach Anne and see what he thinks. > > Thanks for the reply, > > > - Bil > _______________________________________________ > dev-security mailing list > dev-security@lists.mozilla.org > https://lists.mozilla.org/listinfo/dev-security _______________________________________________ dev-security mailing list dev-security@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security
