On 9/19/13 11:30 AM, Daniel Veditz wrote:
At the moment, hard; trivial once we support the CSP 1.1 tag
feature. Well, actually, adding the CSP policies isn't going to be the
hard part, fixing up all the pages will take a lot of work.
In the absence of the meta tag, can we hard code policies i
If I am not wrong,
http://mxr.mozilla.org/mozilla-central/source/content/base/public/nsContentPolicyUtils.h#158
shows that nsIContentPolicy implementation (which CSP uses) bypasses
all checks for chrome:// URI pages. Disabling this optimization might
have an impact on performance as well as the com
On 19.09.2013 20:30, Daniel Veditz wrote:
>> The only question that remains, is how hard is it to apply a CSP to
>> non-HTTP documents and XUL documents (like about:newtab)?
>
> At the moment, hard; trivial once we support the CSP 1.1 tag
> feature. Well, actually, adding the CSP policies isn't g
On 9/17/2013 9:38 AM, Frederik Braun wrote:
There were and probably will be XSS bugs in some of parts of our browser
part that is heavily using HTML and JavaScript.
There have been since the beginning of Firefox. Chrome XSS is about the
worst bugs because the attackers don't have to mess with
On 17.09.2013 09:38, Frederik Braun wrote:
> Hi,
>
> I was thinking.. Should there be a way to protect us from Cross-Zone
> Scripting (i.e. somebody XSSing privileged pages and thus being able to
> execute arbitrary commands) by applying CSP to internal pages?
This was already filed in 2012 as
ht
Hi,
I was thinking.. Should there be a way to protect us from Cross-Zone
Scripting (i.e. somebody XSSing privileged pages and thus being able to
execute arbitrary commands) by applying CSP to internal pages?
There were and probably will be XSS bugs in some of parts of our browser
part that is hea