On 22 January 2011 08:29, Gervase Markham <gerv@mozilla.org> wrote: > On 21/01/11 22:44, Michal Zalewski wrote: > >> 3) Allowing inline scripts guarded by policy-specified nonce tokens >> (<meta> says "inline-script-token=$random", inline scripts have >> <script token="$previously_specified_random">...</script>). This >> eliminates one of the most significant issues with deploying CSP or >> this proposal on sites that are extremely concerned about the overhead >> of extra HTTP requests; for example, much of *.google.com is subject >> to such concerns. >> > > http://www.gerv.net/security/script-keys/ > Both this and meta tag are vulnerable to any sort of html attribute injection, this is why I suggested using both a opening and closing randomized tag. e.g. <meta nothankyou=' would enclose any existing tags until the next ' and > which would either disable the intended restriction or even worse allow you to use the key.
Received on Saturday, 22 January 2011 10:34:38 UTC