The argument is that the opt-in semantics of script-src (i.e. it's a
whitelist) are spoiled by the opt-out nature of this protection (i.e
it's a blacklist), so a new directive is better.
Joe.
On 13/04/2012 02:57, Devdatta Akhawe wrote:
How about "no-user" as a source expression in script-src, instead?
On 12 April 2012 14:42, Tanvi Vyas <ta...@mozilla.com
<mailto:ta...@mozilla.com>> wrote:
Given recent social-engineering attacks, firefox no longer allows
javascript in the address bar
(https://bugzilla.mozilla.org/show_bug.cgi?id=656433). The same
issue could exist with the Web Console. An attacker could ask a
user to use the keyboard shortcut to open the web console and copy
and paste javascript on a page that is vulnerable to DOM based or
self XSS.
To mitigate this potential attack, we are considering adding a new
CSP directive 'no-user-js' that can be set by websites being
targeted by this attack
(http://incompleteness.me/mozblog/2011/12/14/combating-self-xss/):
X-Content-Security-Policy: no-user-js
Developers who want to use the Web Console to test their sites on
websites that have set 'no-user-js' would have a preference to
override the 'no-user-js' directive. For websites that have not
set 'no-user-js', developers would see no change to Web Console.
Thoughts?
~Tanvi
_______________________________________________
dev-security mailing list
dev-security@lists.mozilla.org <mailto:dev-security@lists.mozilla.org>
https://lists.mozilla.org/listinfo/dev-security
_______________________________________________
dev-security mailing list
dev-security@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security
