How about "no-user" as a source expression in script-src, instead?
On 12 April 2012 14:42, Tanvi Vyas <ta...@mozilla.com> wrote: > Given recent social-engineering attacks, firefox no longer allows > javascript in the address bar (https://bugzilla.mozilla.org/** > show_bug.cgi?id=656433<https://bugzilla.mozilla.org/show_bug.cgi?id=656433>). > The same issue could exist with the Web Console. An attacker could ask a > user to use the keyboard shortcut to open the web console and copy and > paste javascript on a page that is vulnerable to DOM based or self XSS. > > To mitigate this potential attack, we are considering adding a new CSP > directive 'no-user-js' that can be set by websites being targeted by this > attack (http://incompleteness.me/**mozblog/2011/12/14/combating-** > self-xss/<http://incompleteness.me/mozblog/2011/12/14/combating-self-xss/> > ): > X-Content-Security-Policy: no-user-js > > Developers who want to use the Web Console to test their sites on websites > that have set 'no-user-js' would have a preference to override the > 'no-user-js' directive. For websites that have not set 'no-user-js', > developers would see no change to Web Console. > > Thoughts? > > ~Tanvi > ______________________________**_________________ > dev-security mailing list > dev-security@lists.mozilla.org > https://lists.mozilla.org/**listinfo/dev-security<https://lists.mozilla.org/listinfo/dev-security> > _______________________________________________ dev-security mailing list dev-security@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security