[wp-trac] Re: [WordPress Trac] #10237: Implement the new Mozilla
feature to
prevent XSS (was: Interesting new feature in Mozilla to prevent XSS)
WordPress Trac
wp-trac at lists.automattic.com
Mon Jun 22 23:30:58 GMT 2009
#10237: Implement the new Mozilla feature to prevent XSS
-------------------------------+--------------------------------------------
Reporter: Denis-de-Bernardy | Owner: ryan
Type: enhancement | Status: new
Priority: normal | Milestone: Future Release
Component: Security | Version: 2.8
Severity: normal | Keywords:
-------------------------------+--------------------------------------------
Old description:
> http://blogs.zdnet.com/security/?p=3654
New description:
http://blogs.zdnet.com/security/?p=3654
1. Here’s how Content Security Policy can provide a way for server
administrators to reduce or eliminate their XSS attack surface. Website
administrators specify which domains the browser should treat as valid
sources of script.
2. The browser will only execute script in source files from the white-
listed domains and will disregard everything else, including inline
scripts and event-handling HTML attributes.
- Note: event-handling is still enabled in CSP without using HTML
attributes.
3. Sites that never want to have JavaScript included in their pages can
choose to globally disallow script.
--
Comment(by dd32):
Point 2 makes it a bit difficult by the sound of it, Seems to say that no
inline JS is allowed, it has to be in a file hosted on a white-listed
domain?
Also, Can you find any references on how its implemented? I couldn't see a
technical detail anywhere.
--
Ticket URL: <http://core.trac.wordpress.org/ticket/10237#comment:1>
WordPress Trac <http://core.trac.wordpress.org/>
WordPress blogging software
More information about the wp-trac
mailing list