On Mar 30, 11:46 am, "bste...@mozilla.com"
wrote:
>
> Actually, all event-handling HTML attributes will be blocked, as they
> are a common vector for XSS, e.g. . However,
> sites will still be able to do event handling in the following ways:
but evil() can only exist as a javascript built-in fu
On Apr 4, 10:39 am, Florian Weimer wrote:
> The policy does not say explicitly what happens to javascript:
> hyperlinks and the on* event handlers.
http://people.mozilla.org/~bsterne/content-security-policy/details.html#no-inline-script
> You shouldn't use an X- header because it's going to stic
