W3C home > Mailing lists > Public > public-webappsec@w3.org > February 2013

Re: Restricting <base> URLS via CSP

From: Devdatta Akhawe <dev.akhawe@gmail.com>
Date: Wed, 27 Feb 2013 19:28:14 -0800
Message-ID: <CAPfop_1nxcLjwGBRrGKFPfBcyBJiTc7GEpVwUnQm3pHGpLQvtQ@mail.gmail.com>
To: Alex Russell <slightlyoff@google.com>
Cc: Adam Barth <w3c@adambarth.com>, Mike West <mkwst@google.com>, "public-webappsec@w3.org" <public-webappsec@w3.org>, Michal Zalewski <lcamtuf@google.com>
> This isn't just about scripts; it affects forms, images, and every other
> sort of network behavior.

My point was that web application authors opt-in to XSS protection
only when they specify a script-src. In the absence of script-src, we
are in XSS world, not post-xss.

Received on Thursday, 28 February 2013 03:29:05 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 18:54:31 UTC