- From: Daniel Veditz <dveditz@mozilla.com>
- Date: Fri, 18 Feb 2011 21:14:32 -0800
- To: public-web-security@w3.org
On 2/18/11 9:00 PM, Adam Barth wrote: > I'm suggesting that we trigger disabling inline-scripts and JavaScript > URLs on the presence of script-src (regardless of the value of the > script-src directive) or of another directive (e.g., default-src) that > implies script-src. And I'm suggesting that inline scripts and javascript: urls are the predominant source of XSS and should be banned outright. CSP-implementing user agents may provide a way to turn those feature back on if they wish. Neither has much to do with the src of a script tag. -Dan Veditz
Received on Saturday, 19 February 2011 05:15:43 UTC