Commenting myself – the best kind of commenting ... 2011/1/24 John Wilander <john.wilander@owasp.org> > *Scripts vs Domains* > I think we will have to be very clear in the spec on whether we're trusting > scripts or domains. NoScript is actually NoDomain which I've tried to > explain numerous times but IT people still interpret NoScript as actually > filtering scripts. > This should really be Scripts vs Script references vs Domains since all three have been suggested: - Signatures => filtering on scripts, effectively lexical layout and encoding of scripts, not semantics. - Nonces or full URLs => filtering on script references. One reference may point to N scripts and M references may point to one script. Developers often use bogus URL changes to circumvent caches so this is a reality. - Domains. /John -- John Wilander, https://twitter.com/johnwilander Chapter co-leader OWASP Sweden, http://owaspsweden.blogspot.com <http://owaspsweden.blogspot.com>Co-organizer Global Summit, http://www.owasp.org/index.php/Summit_2011 <http://www.owasp.org/index.php/Summit_2011>Conf Comm, http://www.owasp.org/index.php/Global_Conferences_Committee
Received on Monday, 24 January 2011 21:28:50 UTC