On Jul 6, 10:36 am, Daniel Veditz <[email protected]> wrote: > There is no cross-browser support for signed javascript. With the > current CSP the site will work perfectly well in browsers that don't > support CSP. CSP is already asking site authors to do a lot of work, but > since it works in all browsers sites can transition slowly (such as > writing new content to that standard, leaving old content alone). If CSP > requires separate content for CSP-supporting browsers it will never fly.
I completely agree upon the backwards compatibility arguments, however my original post was not about signed JS. It was more or less a suggestion for a solution. In my original post I tried to address the problem of a shift from XSS in *.html to XSS in *.js. What if webdevelopers create empty HTML files and include all the content in generated javascript files? 1: Should we consider this situation? 2: Do you agree with this risk/problem or is it unlikely that it will happen? 3: Are there any other technical solution to prevent/mitigitate this risk? In the current specs it appears that we are more or less assuming that js files are more or less static... _______________________________________________ dev-security mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security
