W3C home > Mailing lists > Public > public-web-security@w3.org > January 2011

Re: [Content Security Policy] Proposal to move the debate forward

From: <robert@webappsec.org>
Date: Fri, 28 Jan 2011 16:50:31 -0500 (EST)
Message-ID: <20110128215031.19973.qmail@cgisecurity.net>
To: bzbarsky@MIT.EDU (Boris Zbarsky)
Cc: w3c@adambarth.com (Adam Barth), public-web-security@w3.org
> Does allowing attackers to rewrite the text on your page (but not run 
> any script) have security impact?

Yes, this can allow for content spoofing depending on the reflection point.
http://projects.webappsec.org/w/page/13246917/Content-Spoofing

Regards,
- Robert Auger
http://www.webappsec.org/
http://www.cgisecurity.com/
http://www.qasec.com/
Received on Saturday, 29 January 2011 22:19:01 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Saturday, 29 January 2011 22:19:04 GMT