Changes between Initial Version and Version 1 of Ticket #10237

Timestamp:
06/22/09 23:30:58 (4 years ago)
Author:
dd32
Comment:

Point 2 makes it a bit difficult by the sound of it, Seems to say that no inline JS is allowed, it has to be in a file hosted on a white-listed domain?

Also, Can you find any references on how its implemented? I couldn't see a technical detail anywhere.

Legend:

Unmodified
Added
Removed
Modified

  • Ticket #10237

    • Property Summary changed from Interesting new feature in Mozilla to prevent XSS to Implement the new Mozilla feature to prevent XSS

  • Ticket #10237 – Description

    initial v1  
    11http://blogs.zdnet.com/security/?p=3654 
     2 
     3 1. Here’s how Content Security Policy can provide a way for server administrators to reduce or eliminate their XSS attack surface. Website administrators specify which domains the browser should treat as valid sources of script. 
     4 
     5 2. The browser will only execute script in source files from the white-listed domains and will disregard everything else, including inline scripts and event-handling HTML attributes.  
     6   - Note: event-handling is still enabled in CSP without using HTML attributes. 
     7 
     8 3. Sites that never want to have JavaScript included in their pages can choose to globally disallow script.