Re: XSS mitigation in browsers

 > 1) Instead of using HTTP headers, the policy is expressed in HTML.

This leaves the door open for various content-injection attacks that 
inject content before the policy <meta>.  Is the benefit of expressing 
the policy in the same file worth it?

-Boris

Received on Thursday, 20 January 2011 15:25:37 UTC