WordPress.org
Get WordPress

Make WordPress Core

Changes between Initial Version and Version 1 of Ticket #10237


Ignore:
Timestamp:
06/22/2009 11:30:58 PM (14 years ago)
Author:
dd32
Comment:

Point 2 makes it a bit difficult by the sound of it, Seems to say that no inline JS is allowed, it has to be in a file hosted on a white-listed domain?

Also, Can you find any references on how its implemented? I couldn't see a technical detail anywhere.

Legend:

Unmodified
Added
Removed
Modified

  • Ticket #10237

    • Property Summary changed from Interesting new feature in Mozilla to prevent XSS to Implement the new Mozilla feature to prevent XSS

  • Ticket #10237 – Description

    initial v1  
    11http://blogs.zdnet.com/security/?p=3654
     2
     3 1. Here’s how Content Security Policy can provide a way for server administrators to reduce or eliminate their XSS attack surface. Website administrators specify which domains the browser should treat as valid sources of script.
     4
     5 2. The browser will only execute script in source files from the white-listed domains and will disregard everything else, including inline scripts and event-handling HTML attributes.
     6   - Note: event-handling is still enabled in CSP without using HTML attributes.
     7
     8 3. Sites that never want to have JavaScript included in their pages can choose to globally disallow script.