- From: Thomas Roessler <tlr@w3.org>
- Date: Fri, 4 Jul 2008 10:52:19 +0200
- To: Arun Ranganathan <arun@mozilla.com>
- Cc: Ian Hickson <ian@hixie.ch>, aa@google.com, Ben Turner <bturner@mozilla.com>, Johnny Stenback <jst@mozilla.com>, Jonas Sicking <sicking@mozilla.com>, Brandon Sterne <bsterne@mozilla.com>, chaals@opera.com, mjs@apple.com, chris.wilson@microsoft.com, public-webapps@w3.org, schepers@w3.org, dveditz@mozilla.com
On 2008-06-25 13:09:43 -0700, Arun Ranganathan wrote: > 2. Mitigation of XSS (Cross Site Scripting) and CSRF (Cross Site > Request Forgery) Vulnerabilities. The idea is to provide a > mechanism (possibly via HTTP headers, but not necessarily limited > to HTTP headers) to stipulate a *strict* mode for script > inclusion via "script src=" and prevention of inline scripts > altogether. See Site Security Policy [5]. We encourage > discussion about this topic via email. Will other members of the > WG engage with Mozilla on this, via additional work items covered > by the charter of this WG? Without speaking to the scope question, I think this is an interesting area of work. I wonder how it might dovetail with ideas such as Google's Caja, and more general policy-enabling of in-browser method invocation models, and would be curious to hear your views on that. Regards, -- Thomas Roessler, W3C <tlr@w3.org>
Received on Friday, 4 July 2008 08:52:53 UTC