I want to transmit sensitive information in say the index.html
which should only be accessible from JavaScript during the load time of the page. Afterwards the JavaScript on the page should not be able to access that data.
I can easily remove the sensitive data from the DOM on load but I also need to prevent the page being loaded using XMLHTTPRequest
or by scraping it from an IFrame.
I can block the IFrame using the X-Frame-Options header and other frame busting tricks but how can I block the page from being loaded using XHR?
The best solution I came up with is to serve the index.html
with a CSP header that doesn't include self
in the connect-src
directive but then I can't XHR to any URL on my server and I need to white list all other possible connect targets. There must be a better way to do it.
<script>
tag. – ComFreek Aug 8 '13 at 18:51