Michal Čihař wrote:
Hi all
you probably noticed that Firefox 3.5 is out and it comes with new way
how to protect against XSS called Content Security Policy.
Do you think it is worth implementing in phpMyAdmin? It would probably
mean changing of some parts of our code because it blocks following
things:
* The contents of internal <script> nodes
* javascript: URIs, e.g. <a href="javascript:bad_stuff()">
* Event-handling attributes, e.g. <a onclick="bad_stuff()">
* eval()
* setTimeout called with a String argument, e.g. setTimeout("evil
string...", 1000)
* setInterval called with a String argument, e.g. setInterval("evil
string...", 1000)
* new Function constructor, e.g. var f = new Function("evil
string...")
Since we use quite a number of onclick="" attributes it would take
considerable effort to implement this.
I do not expect this to be implemented in all browsers any-time soon,
since it currently is an FF only feature, and thus we still have to be
very careful with properly sanitising all output.
Therefore I see this as a possible long term goal, and something to
think about when writing new code.
Agreed; also the CSP document itself from Mozilla scares me with lots of
options and policies to decide about.
--
Marc Delisle