Re: XSS mitigation in browsers from Michal Zalewski on 2011-01-20 (public-web-security@w3.org from January 2011)

From: Michal Zalewski <lcamtuf@coredump.cx>
Date: Thu, 20 Jan 2011 15:02:39 -0800
To: Sid Stamm <sid@mozilla.com>
Cc: Brandon Sterne <bsterne@mozilla.com>, Adam Barth <w3c@adambarth.com>, public-web-security@w3.org, Lucas Adamski <ladamski@mozilla.com>
Message-ID: <AANLkTi=Db8wgZsjLrwo3kHnHvF4dKAMG7RR3sk-RYUBy@mail.gmail.com>

> "User Agents MUST NOT block:
> " * Scripts imported from external files whose sources are allowed by
> the protected document's policy AND are served with a Content-Type of
> application/javascript or application/json. "

Well, that's "MUST NOT block", not "MUST block the opposite" :-) But
yeah, that aspect is easy to fix.

/mz

Received on Thursday, 20 January 2011 23:03:33 UTC