Re: More on XSS mitigation (was Re: XSS mitigation in browsers)

On Mon, Jan 24, 2011 at 10:29 AM, Gervase Markham <gerv@mozilla.org> wrote:
> On 24/01/11 05:47, Devdatta Akhawe wrote:
>> I would also add developing policies for common applications like
>> Drupal, WordPress, MediaWiki etc. We tried to develop a CSP policy for
>> BugZilla and it seemed too much work to do it without enabling
>> inline-scripts.
>
> Did you communicate with the Bugzilla development team while doing this? I
> didn't see anything cross the mailing list... Getting Bugzilla in a state
> where it can have a CSP policy would be a great thing. Why not file a bug
> about it?

We did this as an experiment to evaluate how easy it was to deploy CSP
on a real web site.  Joel can tell you more of the details.  We
eventually got it working, although we had to do some work to avoid
losing performance.

Adam

Received on Monday, 24 January 2011 23:53:30 UTC