W3C home > Mailing lists > Public > public-web-security@w3.org > January 2011

Re: XSS mitigation in browsers

From: Michal Zalewski <lcamtuf@coredump.cx>
Date: Thu, 20 Jan 2011 15:02:39 -0800
Message-ID: <AANLkTi=Db8wgZsjLrwo3kHnHvF4dKAMG7RR3sk-RYUBy@mail.gmail.com>
To: Sid Stamm <sid@mozilla.com>
Cc: Brandon Sterne <bsterne@mozilla.com>, Adam Barth <w3c@adambarth.com>, public-web-security@w3.org, Lucas Adamski <ladamski@mozilla.com>
> "User Agents MUST NOT block:
> " * Scripts imported from external files whose sources are allowed by
> the protected document's policy AND are served with a Content-Type of
> application/javascript or application/json. "

Well, that's "MUST NOT block", not "MUST block the opposite" :-) But
yeah, that aspect is easy to fix.

/mz
Received on Thursday, 20 January 2011 23:03:33 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Thursday, 20 January 2011 23:03:34 GMT