The WebAppSec WG at the W3C would like to inform WebSec that Content Security Policy (CSP) 1.0 has been published as a Last Call Working Draft, and the WG welcomes review, feedback and comments to public-webapp...@w3.org<mailto:public-webapp...@w3.org>
CSP is a mechanism web applications can use to mitigate a broad class of content injection vulnerabilities, such as cross-site scripting (XSS). Content Security Policy is a declarative policy that lets the authors (or server administrators) of a web application restrict from where the application can load resources. To mitigate XSS, for example, a web application can restrict itself to loading scripts only from known, trusted URIs, making it difficult for an attacker who can inject content into the web application to inject malicious script. Content Security Policy (CSP) is not intended as a first line of defense against content injection vulnerabilities. Instead, CSP is best used as defense-in-depth, to reduce the harm caused by content injection attacks. http://www.w3.org/TR/CSP/ Thank you, Brad Hill Co-chair, W3C WebAppSec WG
_______________________________________________ websec mailing list websec@ietf.org https://www.ietf.org/mailman/listinfo/websec