On 9/17/2013 9:38 AM, Frederik Braun wrote:
There were and probably will be XSS bugs in some of parts of our browser part that is heavily using HTML and JavaScript.
There have been since the beginning of Firefox. Chrome XSS is about the worst bugs because the attackers don't have to mess with shellcode and they're always 100% reliable, unlike the typical memory corruption exploit.
The only question that remains, is how hard is it to apply a CSP to non-HTTP documents and XUL documents (like about:newtab)?
At the moment, hard; trivial once we support the CSP 1.1 <meta> tag feature. Well, actually, adding the CSP policies isn't going to be the hard part, fixing up all the pages will take a lot of work.
It'd be safer to automatically impose a policy but that would break so many add-ons that it would take great political will to make that kind of change even if we let add-ons opt-out of the imposition.
-Dan Veditz _______________________________________________ dev-security mailing list dev-security@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security
