The group you are posting to is a Usenet group. Messages posted to this group will make your email address visible to anyone on the Internet.
Your reply message has not been sent.
Your post was successful
 |
Newsgroups: mozilla.dev.security
From: Brandon Sterne <bste...@mozilla.com>
Date: Mon, 06 Jul 2009 10:58:08 -0700
Local: Mon, Jul 6 2009 1:58 pm
Subject: Re: Content Security Policy Spec questions and feedback
Thanks for the great feedback, Eric. I have some additional comments
that I haven't finished yet, but this was a quick one... Gervase Markham wrote: Perhaps the style-src tag does not need to apply to inline style after > On 06/07/09 01:28, EricLaw wrote: >> Style-src >> I don’t know what “style attributes of HTML elements” means. > It means <div style="some CSS here"></div> all. Originally, we had thought we needed this restriction to prevent CSS from being used as a vector for script injection via XBL and CSS expressions. However, there is the other restriction already in place which requires that XBL bindings come from chrome: or resource: URIs, so the XSS risk is extremely low. The only other risk of allowing inline CSS is page defacement, element hiding, etc. I think we should change the script-src directive to only apply to -Brandon You must Sign in before you can post messages.
To post a message you must first join this group.
Please update your nickname on the subscription settings page before posting.
You do not have the permission required to post.
| |||||||||||||