Serge van den Boom wrote on 6/23/2009 8:13 AM:
> However, by injecting an X-Content-Security-Policy header with the
> policy-uri set to the vulnerable URL, the web client can be tricked into
> visiting the vulnerable URL.
It would only work for those pages where a X-Content-Security-Policy header has
not already been set -- additional X-Content-Security-Policy headers are
ignored. But beyond that, the proposed "Link" header would provide the same
attack surface, and can not be restricted to a known URI:
http://www.ietf.org/internet-drafts/draft-nottingham-http-link-header-05.txt
Given that, I suggest keeping the CSP specification as-is.
- Bil
_______________________________________________
dev-security mailing list
[email protected]
https://lists.mozilla.org/listinfo/dev-security
