Given recent social-engineering attacks, firefox no longer allows
javascript in the address bar
(https://bugzilla.mozilla.org/show_bug.cgi?id=656433). The same issue
could exist with the Web Console. An attacker could ask a user to use
the keyboard shortcut to open the web console and copy and paste
javascript on a page that is vulnerable to DOM based or self XSS.
To mitigate this potential attack, we are considering adding a new CSP
directive 'no-user-js' that can be set by websites being targeted by
this attack
(http://incompleteness.me/mozblog/2011/12/14/combating-self-xss/):
X-Content-Security-Policy: no-user-js
Developers who want to use the Web Console to test their sites on
websites that have set 'no-user-js' would have a preference to override
the 'no-user-js' directive. For websites that have not set
'no-user-js', developers would see no change to Web Console.
Thoughts?
~Tanvi
_______________________________________________
dev-security mailing list
dev-security@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security
