I assume this protection would be extended to all facilities which allow
user's to execute script (scratchpad, error console, are there others?)
And things like firebug would be out of scope, although they could
choose to respect this header or not.
On 4/13/12 7:42 AM, Tanvi Vyas wrote:
Given recent social-engineering attacks, firefox no longer allows
javascript in the address bar
(https://bugzilla.mozilla.org/show_bug.cgi?id=656433). The same issue
could exist with the Web Console. An attacker could ask a user to use
the keyboard shortcut to open the web console and copy and paste
javascript on a page that is vulnerable to DOM based or self XSS.
To mitigate this potential attack, we are considering adding a new CSP
directive 'no-user-js' that can be set by websites being targeted by
this attack
(http://incompleteness.me/mozblog/2011/12/14/combating-self-xss/):
X-Content-Security-Policy: no-user-js
Developers who want to use the Web Console to test their sites on
websites that have set 'no-user-js' would have a preference to
override the 'no-user-js' directive. For websites that have not set
'no-user-js', developers would see no change to Web Console.
Thoughts?
~Tanvi
_______________________________________________
dev-security mailing list
dev-security@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security
_______________________________________________
dev-security mailing list
dev-security@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security
