I was wondering how can a server or script identify if a request is from
page, iframe or xhr?
Doing this would not prevent any XSS attacks, but it would allow a
server/server-side script to detect a potential XSS attack.
I could not find any mention of any reliable way to do this currently.
On 11/01/2016 02:42 AM, Roger Hågensen wrote:
I was wondering how can a server or script identify if a request is from
page, iframe or xhr?
Doing this would not prevent any XSS attacks, but it would allow a
server/server-side script to detect a potential XSS attack.
I could not find any
On 2016-11-01 11:26, Michael A. Peters wrote:
Any server admin that trusts a header sent by a client for security
purposes is a fool. They lie, and any browser extension or plugin can
influence what headers are sent and what they contain.
Wait, are you saying that ContentSecurityPolicy can't
On 09/19/2016 07:41 AM, Simon Pieters wrote:
There is always room for adding convenience APIs, it's a matter of
demonstrating that it's a common enough need to make it worth the cost
of adding it.
https://wiki.whatwg.org/wiki/FAQ#Where.27s_the_harm_in_adding.E2.80.94
HTH,
* OFF TOPIC *
On 2016-11-01 10:42, Roger Hågensen wrote:
I was wondering how can a server or script identify if a request is from
page, iframe or xhr?
I really hate answering myself (and so soon after making a post) but it
seems I have found the answer at
On 11/01/2016 03:32 AM, Roger Hågensen wrote:
On 2016-11-01 10:42, Roger Hågensen wrote:
I was wondering how can a server or script identify if a request is from
page, iframe or xhr?
I really hate answering myself (and so soon after making a post) but it
seems I have found the answer at
On 11/1/16 6:36 AM, Roger Hågensen wrote:
Wait, are you saying that ContentSecurityPolicy can't be relied upon?
It depends on your threat model.
Content security policy is a tool that allows a web page to defend
itself and its users from cross-site script injection attacks and the
like. A
