On Sun, May 22, 2016 at 6:17 PM, Brian Wolff wrote:
> Content-Security-Policy (CSP) header is a header that disables certain
> javascript features that are commonly used to exploit XSS attacks, in
> order to mitigate the risks of XSS. I think we could massively benefit
> from using this technolog
On Monday, May 23, 2016, Pine W wrote:
> With the disclaimer that I'm not a security engineer and that I understand
> only parts of this proposal, in general this strikes me as a good idea. It
> seems to me that trying to develop a comprehensive list of what tools /
> scripts this proposal would l
On Monday, May 23, 2016, Tyler Romeo wrote:
> First, as I expected, this proposal is to use CSP wit the "unsafe-eval"
> option enabled for both style-src and script-src. This means the
JavaScript
> eval() function can be used freely, and inline CSS via the style attribute
> can still be used. Comb
First, as I expected, this proposal is to use CSP with the "unsafe-eval"
option enabled for both style-src and script-src. This means the JavaScript
eval() function can be used freely, and inline CSS via the style attribute
can still be used. Combined with the "default-src *" policy, which I
mentio
With the disclaimer that I'm not a security engineer and that I understand
only parts of this proposal, in general this strikes me as a good idea. It
seems to me that trying to develop a comprehensive list of what tools /
scripts this proposal would likely break, how important those breaks are,
and
So the RFC process page says I should email wikitech-l to propose an RFC, thus:
Content-Security-Policy (CSP) header is a header that disables certain
javascript features that are commonly used to exploit XSS attacks, in
order to mitigate the risks of XSS. I think we could massively benefit
from u
