On 23/10/09 01:50, Daniel Veditz wrote:
blocking inline-script is key to stopping XSS. We added the ability to turn that bit of CSP off as an interim crutch for complex sites trying to convert, but if our proof-of-concept site has to rely on it we've clearly failed and will be setting a bad example to boot.
What I was doing in my message was creating a policy for the site as it is now exactly - i.e. one you could use without any modifications. So as the site had inline-script, I had to add the inline-script directive. What else would you have me do? :-)
If we are doing a proof-of-concept conversion, then let's actually do some conversion work. That would mean moving the one line of JS which kicks off Urchin into an external file.
Gerv _______________________________________________ dev-security mailing list dev-security@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security
