| |||||||||||||
Mozilla's Content Security PolicyMozilla's Content Security PolicyPosted Jul 2, 2009 17:17 UTC (Thu) by joey (subscriber, #328)In reply to: Mozilla's Content Security Policy by butlerm Parent article: Mozilla's Content Security Policy I think you're probably right, which is a real pity, since sanitizing user-supplied html to remove all possible means of javascript injection is very tricky. I wish this CSP could be turned on at a block level. Something like: <csp="no-javascript"> user supplied html here </csp>
(Log in to post comments)
Mozilla's Content Security Policy Posted Jul 2, 2009 17:19 UTC (Thu) by joey (subscriber, #328) [Link] BTW, right after I posted that, I found a javascript stripping bug in lwn.net, which I've emailed to Jon. :-/
Mozilla's Content Security Policy Posted Jul 11, 2009 19:09 UTC (Sat) by tulcod (guest, #59536) [Link]
If users can inject <script> tags, I don't see any reason why they shouldn't be able to inject </csp> tags.
What Mozilla proposed is not a solution either, though: there is no reason users cannot upload scripts to a host. Heck, websites on most free webhosts would still be vulnerable. I think a better solution would be to only allow javascript to exist in the <head> tag, although this wouldn't be a solution for websites which, for whatever weird reason, would allow users to put stuff in the <head> of a webpage. XSS is an inherent problem with launching scripts from editable content. It would be better to disallow <script> tags completely and use a different mechanism to use javascript on a webpage alongside the HTML delivery, but that would mean properties like onclick and onmouseover would also have to be banned, which induces some rather serious limitations (read: webmasters won't like this).
For now, I'll stick with bbcode and some url encoding.
ps: wow, "webmasters". when was the last time I used that phrase?
|
|||||||||||||