Re: Restricting <base> URLS via CSP

On Feb 27, 2013 7:28 PM, "Devdatta Akhawe" <> wrote:
> > This isn't just about scripts; it affects forms, images, and every other
> > sort of network behavior.
> My point was that web application authors opt-in to XSS protection
> only when they specify a script-src. In the absence of script-src, we
> are in XSS world, not post-xss.

Ah, yes. Apologies for getting your meaning the first time.

Received on Friday, 1 March 2013 18:03:27 UTC