W3C home > Mailing lists > Public > public-webappsec@w3.org > February 2013

Re: Restricting <base> URLS via CSP

From: Devdatta Akhawe <dev.akhawe@gmail.com>
Date: Wed, 27 Feb 2013 19:28:14 -0800
Message-ID: <CAPfop_1nxcLjwGBRrGKFPfBcyBJiTc7GEpVwUnQm3pHGpLQvtQ@mail.gmail.com>
To: Alex Russell <slightlyoff@google.com>
Cc: Adam Barth <w3c@adambarth.com>, Mike West <mkwst@google.com>, "public-webappsec@w3.org" <public-webappsec@w3.org>, Michal Zalewski <lcamtuf@google.com>

> This isn't just about scripts; it affects forms, images, and every other
> sort of network behavior.

My point was that web application authors opt-in to XSS protection
only when they specify a script-src. In the absence of script-src, we
are in XSS world, not post-xss.


--dev

Received on Thursday, 28 February 2013 03:29:05 UTC

This message: [ Message body ]
Next message: Boris Zbarsky: "CORS: Requirement for HTTP 200 response on preflight is not web-compatible and doesn't seem to be interoperably implemented"
Previous message: Alex Russell: "Re: Restricting <base> URLS via CSP"
In reply to: Alex Russell: "Re: Restricting <base> URLS via CSP"

Mail actions: [ respond to this message ] [ mail a new topic ]
Contemporary messages sorted: [ by date ] [ by thread ] [ by subject ] [ by author ]
Help: [ How to use the archives ] [ Search in the archives ]

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 18:54:31 UTC