Re: IDN spoofing might still be a threat

* Gervase Markham: > On 01/04/09 16:58, Florian Weimer wrote: >> The ß-β near-collision is not a problem because ß is normalized to ss. >> I've been joking that the (which once was about >> buses, not penance) was one of the first IDNs. > > As a sidenote, the status of ß is on

Re: Server Side CSP

> Actually, all event-handling HTML attributes will be blocked, as they > are a common vector for XSS, e.g. . However, > sites will still be able to do event handling in the following ways: > 1) setting the on properties of an element, e.g. foo.onclick = > myFunc; > 2) using addEventListener, e.g.

Re: Content Security Policy - final call for comments

* Brandon Sterne: > We now have a specification document to work from (thanks, Sid!) and > it and other supporting docs can be found on the Mozilla Wiki: > https://wiki.mozilla.org/Security/CSP/Spec The policy does not say explicitly what happens to javascript: hyperlinks and the on* event handle