W3C home > Mailing lists > Public > public-webappsec@w3.org > March 2013

Re: Restricting <base> URLS via CSP

From: Alex Russell <slightlyoff@google.com>
Date: Fri, 1 Mar 2013 18:03:00 +0000
Message-ID: <CANr5HFXNpXCAyVMJPppiP7hGcma3zDCfnfLfqsVtC5rpezbj0w@mail.gmail.com>
To: Devdatta Akhawe <dev.akhawe@gmail.com>
Cc: public-webappsec@w3.org, Michal Zalewski <lcamtuf@google.com>, Mike West <mkwst@google.com>, Adam Barth <w3c@adambarth.com>
On Feb 27, 2013 7:28 PM, "Devdatta Akhawe" <dev.akhawe@gmail.com> wrote:
>
> > This isn't just about scripts; it affects forms, images, and every other
> > sort of network behavior.
>
> My point was that web application authors opt-in to XSS protection
> only when they specify a script-src. In the absence of script-src, we
> are in XSS world, not post-xss.

Ah, yes. Apologies for getting your meaning the first time.
Received on Friday, 1 March 2013 18:03:27 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Friday, 1 March 2013 18:03:27 GMT