On Fri, 13 Apr 2012 10:52:50 -0700 Johnathan Nightingale wrote: > I think Joe's framing here is exactly right. Not only do I not want to make > our developer tools first-run experience less pleasant by adding warnings, > but I also doubt that easily-dismissed warnings would be genuinely effective > at protecting our users (and the less easily dismissed, the more terrible the > user experience.) > > I think the CSP directive is a better balance of keeping the tools pleasant > to use the vast majority of the time, while still giving the short-head sites > that are actually targeted by these self-xss worms a reasonably durable > solution.
Does noscript have any ideas that could possibly be used without all users having to work out how to use noscript or disable noscript for some dumb sites? _______________________________________________ dev-security mailing list dev-security@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security