Implement Content Security Policy to prevent XSS
|Reported by:||Denis-de-Bernardy||Owned by:||ryan|
|Cc:||bsterne, westi, Denis-de-Bernardy, gary@…|
Description (last modified by dd32)
- Here’s how Content Security Policy can provide a way for server administrators to reduce or eliminate their XSS attack surface. Website administrators specify which domains the browser should treat as valid sources of script.
- The browser will only execute script in source files from the white-listed domains and will disregard everything else, including inline scripts and event-handling HTML attributes.
- Note: event-handling is still enabled in CSP without using HTML attributes.
Change History (27)
- Description modified (diff)
- Summary changed from Interesting new feature in Mozilla to prevent XSS to Implement the new Mozilla feature to prevent XSS
Note: See TracTickets for help on using tickets.