W3C home > Mailing lists > Public > public-web-security@w3.org > January 2011

Re: More on XSS mitigation (was Re: XSS mitigation in browsers)

From: Adam Barth <w3c@adambarth.com>
Date: Mon, 24 Jan 2011 15:52:30 -0800
Message-ID: <AANLkTim7v6+QxLoGDRU8fp0chVyJ7ZKL9fdO5CUBKa8t@mail.gmail.com>
To: Gervase Markham <gerv@mozilla.org>
Cc: Devdatta Akhawe <dev.akhawe@gmail.com>, John Wilander <john.wilander@owasp.org>, Michal Zalewski <lcamtuf@coredump.cx>, gaz Heyes <gazheyes@gmail.com>, public-web-security@w3.org, Joel Howard Willis Weinberger <jww@eecs.berkeley.edu>
On Mon, Jan 24, 2011 at 10:29 AM, Gervase Markham <gerv@mozilla.org> wrote:
> On 24/01/11 05:47, Devdatta Akhawe wrote:
>> I would also add developing policies for common applications like
>> Drupal, WordPress, MediaWiki etc. We tried to develop a CSP policy for
>> BugZilla and it seemed too much work to do it without enabling
>> inline-scripts.
>
> Did you communicate with the Bugzilla development team while doing this? I
> didn't see anything cross the mailing list... Getting Bugzilla in a state
> where it can have a CSP policy would be a great thing. Why not file a bug
> about it?

We did this as an experiment to evaluate how easy it was to deploy CSP
on a real web site.  Joel can tell you more of the details.  We
eventually got it working, although we had to do some work to avoid
losing performance.

Adam
Received on Monday, 24 January 2011 23:53:30 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Monday, 24 January 2011 23:53:31 GMT