Hi,
I have downloaded the CSP-enabled preview build for Windows. But I
don't know how to use it in order to test the CSP in action.
I can't understand the following line:
Grab a preview build of Minefield and load this page to see how CSP
works. For each individual test, a CSP-supporting browser
Nilesh Kumar wrote:
Hi,
I have downloaded the CSP-enabled preview build for Windows. But I
don't know how to use it in order to test the CSP in action.
I can't understand the following line:
Grab a preview build of Minefield and load this page to see how CSP
works. For each individual test, a
On 26/10/09 08:46, Nilesh Kumar wrote:
Grab a preview build of Minefield
Download a copy of the latest trunk builds of Firefox which have CSP
support. The text you quote should have provided a link.
and load this page to see how CSP
works. For each individual test, a CSP-supporting browser
On 10/22/09 6:09 PM, Adam Barth wrote:
I agree, but if you think sites should be explicit, doesn't that mean
they should explicitly opt-in to changing the normal (i.e., non-CSP)
behavior?
They have already opted in by adding the CSP header. Once they've
opted-in to our web-as-we-wish-it-were
It seems reasonable to mitigate both of those without using CSP at all.
+1.
But the current spec was trying to address them. For e.g all the
img-src, frame-src , frame-ancestor, font-src, style-src isn't really
needed for preventing XSS (afaik). My view is that there is not
problem with