On 4/12/12 2:42 PM, Tanvi Vyas wrote:
To mitigate this potential attack, we are considering adding a new CSP directive 'no-user-js' that can be set by websites being targeted by this attack (http://incompleteness.me/mozblog/2011/12/14/combating-self-xss/): X-Content-Security-Policy: no-user-js
I think it's unlikely to be very useful, in practice. I'd be surprised if more than a tiny number of webdevs ended up looking for or using it... It's certainly helpful to major sites, but sites in the long-tail are no better off than they are today.
Justin _______________________________________________ dev-security mailing list dev-security@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security