On 26/06/09 22:42, Bil Corry wrote:
It's been brought up this morning on the WASC Web Security list too:http://www.webappsec.org/lists/websecurity/archive/2009-06/msg00086.html
The linked blogpost suggests using the page itself as an E4X document to bypass the restrictions. Dead clever :-) Should we say that CSP also requires the external JS files to be served with the right Content Type? (application/javascript)? That would reduce the possibility of the attacker using random content they've managed to create on the remote server as a script file.
Gerv _______________________________________________ dev-security mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security
