From marc@infomarc.info Fri Jul  3 08:13:35 2009
From: Marc Delisle <marc@infomarc.info>
To: developers@phpmyadmin.net
Subject: Re: [Phpmyadmin-devel] Content Security Policy
Date: Thu, 02 Jul 2009 10:49:42 -0400
Message-ID: <4A4CC906.3050407@infomarc.info>
In-Reply-To: <4A4CC767.2030503@initfour.nl>
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="===============3032172907157365875=="

--===============3032172907157365875==
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 8bit

Herman van Rink a écrit :
> Michal Čihař wrote:
>> Hi all
>>
>> you probably noticed that Firefox 3.5 is out and it comes with new way
>> how to protect against XSS called Content Security Policy.
>>
>> Do you think it is worth implementing in phpMyAdmin? It would probably
>> mean changing of some parts of our code because it blocks following
>> things:
>>
>>     *  The contents of internal <script> nodes
>>     * javascript: URIs, e.g. <a href="javascript:bad_stuff()">
>>     * Event-handling attributes, e.g. <a onclick="bad_stuff()"> 
>>     *  eval()
>>     * setTimeout called with a String argument, e.g. setTimeout("evil
>>       string...", 1000)
>>     * setInterval called with a String argument, e.g. setInterval("evil
>>       string...", 1000)
>>     * new Function constructor, e.g. var f = new Function("evil
>>       string...")
>>   
> 
> Since we use quite a number of onclick="" attributes  it would take
> considerable effort to implement this.
> I do not expect this to be implemented in all browsers any-time soon,
> since it currently is an FF only feature, and thus we still have to be
> very careful with properly sanitising all output.
> 
> Therefore I see this as a possible long term goal, and something to
> think about when writing new code.
> 
Agreed; also the CSP document itself from Mozilla scares me with lots of 
options and policies to decide about.

-- 
Marc Delisle
http://infomarc.info


--===============3032172907157365875==--