Re: Remove paths from CSP?

On Fri, Feb 14, 2014 at 2:02 PM, Daniel Veditz <dveditz@mozilla.com> wrote:

> Are there alternative where we can have both the CSP security
>  improvements and avoid the "hole" altogether, or minimize the damage?
>

If the browser sent a header which included the element name (img, frame,
style, script, etc) that triggered the request, that may minimize the
concern for some cases, eg:

X-Requested-With: img

That way resources that are not legitimately requested via an img tag for
example can block/ignore the request.

--
Pete Freitag

Received on Friday, 14 February 2014 20:15:30 UTC