Re: [Phpmyadmin-devel] Content Security Policy

Michal Čihař wrote:

Hi all

you probably noticed that Firefox 3.5 is out and it comes with new way how to protect against XSS called Content Security Policy.

Do you think it is worth implementing in phpMyAdmin? It would probably mean changing of some parts of our code because it blocks following things:

*  The contents of internal <script> nodes
* javascript: URIs, e.g. <a href="javascript:bad_stuff()">
* Event-handling attributes, e.g. <a onclick="bad_stuff()"> 
*  eval()
* setTimeout called with a String argument, e.g. setTimeout("evil
  string...", 1000)
* setInterval called with a String argument, e.g. setInterval("evil
  string...", 1000)
* new Function constructor, e.g. var f = new Function("evil
  string...")

Since we use quite a number of onclick="" attributes it would take considerable effort to implement this. I do not expect this to be implemented in all browsers any-time soon, since it currently is an FF only feature, and thus we still have to be very careful with properly sanitising all output.

Therefore I see this as a possible long term goal, and something to think about when writing new code.