Re: XSS mitigation in browsers from Adam Barth on 2011-01-22 (public-web-security@w3.org from January 2011)

From: Adam Barth <w3c@adambarth.com>
Date: Sat, 22 Jan 2011 01:12:27 -0800
To: Devdatta Akhawe <dev.akhawe@gmail.com>
Cc: Gervase Markham <gerv@mozilla.org>, Michal Zalewski <lcamtuf@coredump.cx>, gaz Heyes <gazheyes@gmail.com>, Giorgio Maone <g.maone@informaction.com>, Daniel Veditz <dveditz@mozilla.com>, Brandon Sterne <bsterne@mozilla.com>, public-web-security@w3.org, Lucas Adamski <ladamski@mozilla.com>
Message-ID: <AANLkTi=AKhUjg+svKP8sG4TYM5NyDtVrOExQsU=EMVEq@mail.gmail.com>

On Sat, Jan 22, 2011 at 12:59 AM, Devdatta Akhawe <dev.akhawe@gmail.com> wrote:
>> If the CSP policy disables all script, how will the script run which detects
>> the event of a policy violation and reports it?
>
> Don't do that :). I mean, that is a problem with Adam's original proposal too.

Not really.  You just need to register for the events before including
the <meta> element.

Adam

Received on Saturday, 22 January 2011 09:13:32 UTC