On 8/11/09 3:19 AM, Gervase Markham wrote:
Here's some possibilities for www.mozilla.org, based on the home page -
which does repost RSS headlines, so there's at least the theoretical
possibility of an injection. To begin with:
allow self; options inline-script;
blocking inline-script is key to stopping XSS. We added the ability to
turn that bit of CSP off as an interim crutch for complex sites trying
to convert, but if our proof-of-concept site has to rely on it we've
clearly failed and will be setting a bad example to boot.
_______________________________________________
dev-security mailing list
dev-security@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security
