Hi
Dne Thu, 02 Jul 2009 16:42:47 +0200
Herman van Rink <rink(a)initfour.nl> napsal(a):
Since we use quite a number of onclick=""
attributes it would take
considerable effort to implement this.
I totally agree.
I do not expect this to be implemented in all browsers
any-time soon,
since it currently is an FF only feature, and thus we still have to be
very careful with properly sanitising all output.
Yes, but as CSP also allows to notify if something is doing nasty
things, it will help us protecting other users, because we will be
notified about possible problems from FF 3.5 users.
Therefore I see this as a possible long term goal, and
something to
think about when writing new code.
It makes sense to define it this way.
--
Michal Čihař |
http://cihar.com |
http://phpmyadmin.cz