Re: XSS mitigation in browsers

On 1/22/11 12:59 AM, Devdatta Akhawe wrote:
>> If the CSP policy disables all script, how will the script run which detects
>> the event of a policy violation and reports it?
> Don't do that :). I mean, that is a problem with Adam's original proposal too.

There are cases where complete script disabling might be
appropriate, why not? We do that in the Firefox UI in a couple of
places, and whoever invented the HTML 5 <iframe> sandbox attribute
thought it was useful.

Received on Saturday, 22 January 2011 10:37:31 UTC