- From: Daniel Veditz <dveditz@mozilla.com>
- Date: Mon, 29 Aug 2022 07:34:23 -0700
- To: Harel Klopfer <Harel.Klopfer@hot.net.il>
- Cc: "public-webappsec@w3.org" <public-webappsec@w3.org>
Received on Monday, 29 August 2022 14:35:03 UTC
On Mon, Aug 29, 2022 at 6:57 AM Harel Klopfer <Harel.Klopfer@hot.net.il> wrote: > I saw at the OWASP the reflected XSS directive for the CSP header (site: > https://owasp.org/www-project-secure-headers/#content-security-policy), > > but I couldn’t find this directive at your site. > The OWASP documentation appears to contain old information from a draft version of the spec. There is no "reflected-xss" directive in CSP. A strict policy already combats reflected and stored XSS and some DOM XSS without a special directive for it. If you wish to use CSP I'd check out more in-depth information about it, but a couple of top-line items * if you use 'unsafe-inline' you are not preventing XSS at all * if you use 'unsafe-eval' that might allow XSS depending on your site's code * using 'strict-dynamic' with nonces or hashes is more secure than a whitelist of domains. Most domains have an abusable script on them somewhere, so the whitelist approach can often be bypassed to achieve XSS in practice. -Dan Veditz >
Received on Monday, 29 August 2022 14:35:03 UTC