W3C home > Mailing lists > Public > public-web-security@w3.org > December 2011

Re: Proposed directive for CSP.next: "no-user-js"

From: Michal Zalewski <lcamtuf@coredump.cx>
Date: Wed, 14 Dec 2011 14:14:05 -0800
Message-ID: <CALx_OUCpfP7009jyEWj7SRog=aRxjPNWmQVViD+rUc10CC+iYw@mail.gmail.com>
To: Brandon Sterne <bsterne@mozilla.com>
Cc: public-web-security@w3.org
> [1] Mozilla pissed off a huge number of people by turning off javascript: URLs in the location bar.  See the comment thread in https://bugzilla.mozilla.org/show_bug.cgi?id=656433

But the problem with that was mostly that you couldn't turn it back,
right? There was an about:config setting, but the script would still
execute in a null principal after the change; and the scripts executed
via Ctrl-Shift-J or Ctrl-Shift-K have elevated privileges and don't
behave the same way as normal javascript: URLs.

It seems a bit weird to fix this on a per-site basis. Seems like a
per-user approach with robust defaults is more sensible.

/mz
Received on Wednesday, 14 December 2011 22:15:08 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Wednesday, 14 December 2011 22:15:09 GMT