- From: Neil Matatall <neilm@twitter.com>
- Date: Thu, 4 Sep 2014 10:02:04 -0700
- To: "Hill, Brad" <bhill@paypal.com>
- Cc: Mike West <mkwst@google.com>, Pawel Krawczyk <pawel.krawczyk@hush.com>, Dan Veditz <dveditz@mozilla.com>, "public-webappsec@w3.org" <public-webappsec@w3.org>
Firefox's script sample says: "call to eval() or related function blocked by CSP" and that's pretty useful. Also, if this is plugin noise the line number / column number may be skewed if DOM elements are injected. On Thu, Sep 4, 2014 at 9:58 AM, Neil Matatall <neilm@twitter.com> wrote: > There's already plenty of non-URIs in that value: > > null > about > data:text/javascript;base64,... > asset > weixin > android-webview > pixivnanikahelper > > Or at least URIs that the standard java URI cannot parse. As a likely > unauthenticated endpoint, validation is required either way.
Received on Thursday, 4 September 2014 17:02:37 UTC