- From: Collin Jackson <collin.jackson@sv.cmu.edu>
- Date: Sat, 19 Feb 2011 05:19:17 +0000
- To: Daniel Veditz <dveditz@mozilla.com>
- Cc: public-web-security@w3.org
I think bundling the inline script blocking functionality with the script-src directive makes a lot of sense. It's confusing to have some security features that are on by default and others that you have to turn on manually. The empty policy should have no effect. On Sat, Feb 19, 2011 at 5:14 AM, Daniel Veditz <dveditz@mozilla.com> wrote: > On 2/18/11 9:00 PM, Adam Barth wrote: >> I'm suggesting that we trigger disabling inline-scripts and JavaScript >> URLs on the presence of script-src (regardless of the value of the >> script-src directive) or of another directive (e.g., default-src) that >> implies script-src. > > And I'm suggesting that inline scripts and javascript: urls are the > predominant source of XSS and should be banned outright. > CSP-implementing user agents may provide a way to turn those feature > back on if they wish. Neither has much to do with the src of a > script tag. > > -Dan Veditz > >
Received on Saturday, 19 February 2011 05:21:09 UTC