On 24 January 2011 18:29, Gervase Markham <gerv@mozilla.org> wrote:
> On 24/01/11 05:47, Devdatta Akhawe wrote:
>
>> I would also add developing policies for common applications like
>> Drupal, WordPress, MediaWiki etc. We tried to develop a CSP policy for
>> BugZilla and it seemed too much work to do it without enabling
>> inline-scripts.
>>
>
This is a fantastic idea but please lets think ahead, without sandboxed
areas of the site to mark, policy creation per site will be more difficult.
It isn't going to be that simple to just specify a policy of no external
script or events we need finer control over the content. XSS isn't about
just JavaScript it is about using every feature the browser offers to make a
remote/self referring request. For the record I repeat, using a start marker
is a bad idea you need to control zones/areas of the site use start and end
markers.