W3C home > Mailing lists > Public > public-web-security@w3.org > January 2011

Re: XSS mitigation in browsers

From: Boris Zbarsky <bzbarsky@MIT.EDU>
Date: Thu, 20 Jan 2011 10:24:33 -0500
Message-ID: <4D3853B1.80609@mit.edu>
To: public-web-security@w3.org
 > 1) Instead of using HTTP headers, the policy is expressed in HTML.

This leaves the door open for various content-injection attacks that 
inject content before the policy <meta>.  Is the benefit of expressing 
the policy in the same file worth it?

-Boris
Received on Thursday, 20 January 2011 15:25:37 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Thursday, 20 January 2011 15:25:37 GMT