W3C home > Mailing lists > Public > public-webapps@w3.org > July to September 2008

Re: Worker Threads and Site Security Policy | Two Possible New Items for Standardization

From: Thomas Roessler <tlr@w3.org>
Date: Fri, 4 Jul 2008 10:52:19 +0200
To: Arun Ranganathan <arun@mozilla.com>
Cc: Ian Hickson <ian@hixie.ch>, aa@google.com, Ben Turner <bturner@mozilla.com>, Johnny Stenback <jst@mozilla.com>, Jonas Sicking <sicking@mozilla.com>, Brandon Sterne <bsterne@mozilla.com>, chaals@opera.com, mjs@apple.com, chris.wilson@microsoft.com, public-webapps@w3.org, schepers@w3.org, dveditz@mozilla.com
Message-ID: <20080704085219.GO288@iCoaster.does-not-exist.org> 

On 2008-06-25 13:09:43 -0700, Arun Ranganathan wrote:

> 2. Mitigation of XSS (Cross Site Scripting) and CSRF (Cross Site
> Request Forgery) Vulnerabilities.  The idea is to provide a
> mechanism (possibly via HTTP headers, but not necessarily limited
> to HTTP headers) to stipulate a *strict* mode for script
> inclusion via "script src=" and prevention of inline scripts
> altogether.  See Site Security Policy [5].  We encourage 
> discussion about this topic via email.  Will other members of the
> WG engage with Mozilla on this, via additional work items covered
> by the charter of this WG?

Without speaking to the scope question, I think this is an
interesting area of work.  I wonder how it might dovetail with
ideas such as Google's Caja, and more general policy-enabling of
in-browser method invocation models, and would be curious to hear
your views on that.

Regards,
-- 
Thomas Roessler, W3C  <tlr@w3.org>
Received on Friday, 4 July 2008 08:52:53 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Monday, 7 December 2009 10:42:59 GMT