W3C home > Mailing lists > Public > public-web-security@w3.org > January 2011

Re: More on XSS mitigation (was Re: XSS mitigation in browsers)

From: Gervase Markham <gerv@mozilla.org>
Date: Sat, 22 Jan 2011 08:29:07 +0000
Message-ID: <4D3A9553.3020908@mozilla.org>
To: Michal Zalewski <lcamtuf@coredump.cx>
CC: Adam Barth <w3c@adambarth.com>, public-web-security@w3.org
On 21/01/11 22:44, Michal Zalewski wrote:
> 3) Allowing inline scripts guarded by policy-specified nonce tokens
> (<meta>  says "inline-script-token=$random", inline scripts have
> <script token="$previously_specified_random">...</script>). This
> eliminates one of the most significant issues with deploying CSP or
> this proposal on sites that are extremely concerned about the overhead
> of extra HTTP requests; for example, much of *.google.com is subject
> to such concerns.

http://www.gerv.net/security/script-keys/

Gerv
Received on Saturday, 22 January 2011 08:29:44 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Saturday, 22 January 2011 08:29:45 GMT