On 12/8/2012 3:04 PM, Jesper Kristensen wrote:
Related things: XSS is unrelated to my question. CORS allows me to do
the opposite of what I want. CSP restricts how my code can access any
data, whereas I want to restrict how any code can access my data.
CSP may or may not in the future try to protect against cross-site use
of resources. It's taken a step in that direction with Mozilla's
original frame-ancestors directive (not included in the spec) and the
probable adoption of frame-options in CSP 1.1
There has also been a proposed "From-Origin:" header to protect
resources in the way you're trying. It seems to have withered so don't
expect to use it, but it is at least evidence that some people are
thinking along these lines
http://www.w3.org/TR/2012/NOTE-from-origin-20120529/
NB that any such mechanism assumes an honest browser. It can protect
users from being abused by a third party, or perhaps protect your site
content from 3rd party abuse via authorized users, but if you have
sensitive data openly on the web bad guys can just slurp it down using a
modified client or even raw curl etc.
> Also, if you know of a better forum to ask this, please tell.
Any such mechanism is only interesting if it's supported broadly, so a
less vendor-specific forum may be a better place (though we're happy to
talk about it here!). One that has discussed similar issues in the past
is the W3 public-webappsec list.
http://lists.w3.org/Archives/Public/public-webappsec/
-Dan Veditz
_______________________________________________
dev-security mailing list
[email protected]
https://lists.mozilla.org/listinfo/dev-security
