- From: Adam Barth <w3c@adambarth.com>
- Date: Sat, 22 Jan 2011 01:26:16 -0800
- To: Devdatta Akhawe <dev.akhawe@gmail.com>
- Cc: Gervase Markham <gerv@mozilla.org>, Michal Zalewski <lcamtuf@coredump.cx>, gaz Heyes <gazheyes@gmail.com>, Giorgio Maone <g.maone@informaction.com>, Daniel Veditz <dveditz@mozilla.com>, Brandon Sterne <bsterne@mozilla.com>, public-web-security@w3.org, Lucas Adamski <ladamski@mozilla.com>
On Sat, Jan 22, 2011 at 1:21 AM, Devdatta Akhawe <dev.akhawe@gmail.com> wrote:
> I thought the question was 'if scripting is disabled by a faulty
> policy, your registered event handler won't run'. Did I misunderstand
> it ?
If you make arbitrary mistakes, nothing can save you. If you do
something remotely reasonably, you'll be fine:
<html>
<head>
<script>
document.addEventListener("SecurityViolation", function () { ...
report violation ... }, true);
</script>
<meta name="allowed-scripts" content="... oops, i screwed this up badly ...">
...
Adam
> On 22 January 2011 01:12, Adam Barth <w3c@adambarth.com> wrote:
>> On Sat, Jan 22, 2011 at 12:59 AM, Devdatta Akhawe <dev.akhawe@gmail.com> wrote:
>>>> If the CSP policy disables all script, how will the script run which detects
>>>> the event of a policy violation and reports it?
>>>
>>> Don't do that :). I mean, that is a problem with Adam's original proposal too.
>>
>> Not really. You just need to register for the events before including
>> the <meta> element.
>>
>> Adam
>>
>
Received on Saturday, 22 January 2011 09:27:16 UTC