Re: Restricting <base> URLS via CSP from Alex Russell on 2013-03-01 (public-webappsec@w3.org from March 2013)

From: Alex Russell <slightlyoff@google.com>
Date: Fri, 1 Mar 2013 18:03:00 +0000
To: Devdatta Akhawe <dev.akhawe@gmail.com>
Cc: public-webappsec@w3.org, Michal Zalewski <lcamtuf@google.com>, Mike West <mkwst@google.com>, Adam Barth <w3c@adambarth.com>
Message-ID: <CANr5HFXNpXCAyVMJPppiP7hGcma3zDCfnfLfqsVtC5rpezbj0w@mail.gmail.com>

On Feb 27, 2013 7:28 PM, "Devdatta Akhawe" <dev.akhawe@gmail.com> wrote:
>
> > This isn't just about scripts; it affects forms, images, and every other
> > sort of network behavior.
>
> My point was that web application authors opt-in to XSS protection
> only when they specify a script-src. In the absence of script-src, we
> are in XSS world, not post-xss.

Ah, yes. Apologies for getting your meaning the first time.

Received on Friday, 1 March 2013 18:03:27 UTC