On Jul 6, 10:36 am, Daniel Veditz wrote:
> There is no cross-browser support for signed javascript. With the
> current CSP the site will work perfectly well in browsers that don't
> support CSP. CSP is already asking site authors to do a lot of work, but
> since it works in all browsers sites can
pceelen wrote:
> To prevent this we should have some requirements about the static
> nature of the js files. One mechanism that might implement this is
> adding requirements for static js files by requiring code-signed
> javascript files (is this possible at the moment?
> http://www.mozilla.org/pro
After reading the specs, it is clear that the main aim is to prevent
executable code within HTML files. I do agree that CSP enables web
developers to create more secure websites. In my view there is one
problem:
How is CSP going to prevent lousy web developers to include all their
dynamic content
On 29/06/09 18:02, Brandon Sterne wrote:
That is clever. Yes, I think you're right that we should enforce a
valid MIME type for the external script files. We probably also want to
whitelist application/json for sites utilizing JSON feeds.
It does make you think, what other brokennesses can we
On 6/29/09 10:02 AM, Brandon Sterne wrote:
Gervase Markham wrote:
The linked blogpost suggests using the page itself as an E4X document to
bypass the restrictions. Dead clever :-) Should we say that CSP also
requires the external JS files to be served with the right Content Type?
(application/ja
Gervase Markham wrote:
> On 26/06/09 22:42, Bil Corry wrote:
>> http://www.webappsec.org/lists/websecurity/archive/2009-06/msg00086.html
>
> The linked blogpost suggests using the page itself as an E4X document to
> bypass the restrictions. Dead clever :-) Should we say that CSP also
> require
On 26/06/09 22:42, Bil Corry wrote:
It's been brought up this morning on the WASC Web Security list too:
http://www.webappsec.org/lists/websecurity/archive/2009-06/msg00086.html
The linked blogpost suggests using the page itself as an E4X document to
bypass the restrictions. Dead clev
Sid Stamm wrote on 6/26/2009 11:44 AM:
> Some discussion about CSP has recently popped up on the mozilla wiki:
> https://wiki.mozilla.org/Talk:Security/CSP/Spec
>
> I'm posting the link here in case anyone interested hasn't seen it yet.
> Comments are welcomed (both here and there).
It's been b
Hi All,
Some discussion about CSP has recently popped up on the mozilla wiki:
https://wiki.mozilla.org/Talk:Security/CSP/Spec
I'm posting the link here in case anyone interested hasn't seen it yet.
Comments are welcomed (both here and there).
Cheers,
Sid
_
