> document.enforceSecurityPolicy("default-src 'self' "); Also note that given the behavior of certain XSS filters that make it possible to selectively disable some of the <script> blocks (but not others), this seems undesirable. Frankly, I don't see any truly compelling reasons for dropping <meta>; CSP is far from being perfect, and has several far more concerning bypass vectors; but it's better than nothing. Making it harder to deploy it in a common use case just to prevent an attack in a far more peripheral one (which can be readily turned into XSS in some browsers anyway) seems odd. /mzReceived on Wednesday, 2 May 2012 16:33:01 UTC
This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 18:54:28 UTC