Gervase Markham wrote: > On 26/06/09 22:42, Bil Corry wrote: >> http://www.webappsec.org/lists/websecurity/archive/2009-06/msg00086.html > > The linked blogpost suggests using the page itself as an E4X document to > bypass the restrictions. Dead clever :-) Should we say that CSP also > requires the external JS files to be served with the right Content Type? > (application/javascript)? That would reduce the possibility of the > attacker using random content they've managed to create on the remote > server as a script file. > > Gerv
That is clever. Yes, I think you're right that we should enforce a valid MIME type for the external script files. We probably also want to whitelist application/json for sites utilizing JSON feeds. -Brandon _______________________________________________ dev-security mailing list dev-security@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security