On Tue, 07 Sep 2010 22:57:27 +0200, Adam Barth <w...@adambarth.com> wrote:
It sounds like CSP is creating sub-origin privileges. Sub-origin
privileges don't really work, so it's unclear to what a sensible
result would be.
This is a problem with your alternative CSP proposal as well, no?
https://wiki.mozilla.org/Security/CSP/AllowedScripts
It prevents a bunch of things, but when loaded in an iframe someone else
on the same-origin can still inject a script of some sorts.
--
Anne van Kesteren
http://annevankesteren.nl/