On 2016-11-01 10:42, Roger Hågensen wrote:
I was wondering how can a server or script identify if a request is from
page, iframe or xhr?

I really hate answering myself (and so soon after making a post) but it seems I have found the answer at

and the support is pretty good according to

But on MDN it says "For workers, non-compliant requests are treated as fatal network errors by the user agent."
But does this apply to non-workers too?

And is there any way to prevent injected hostile scripts?
I guess loading scripts from a specific (whitelisted) url could do the trick? Or maybe using strict-dynamic.

Darnit it. I may just have answered my own questions here.

Roger Hågensen, Freelancer, http://skuldwyrm.no/

Reply via email to