Michal Čihař a écrit :
Hi all
you probably noticed that Firefox 3.5 is out and it comes with new way
how to protect against XSS called Content Security Policy.
Do you think it is worth implementing in phpMyAdmin? It would probably
mean changing of some parts of our code because it blocks following
things:
* The contents of internal <script> nodes
* javascript: URIs, e.g. <a href="javascript:bad_stuff()">
* Event-handling attributes, e.g. <a onclick="bad_stuff()">
* eval()
* setTimeout called with a String argument, e.g. setTimeout("evil
string...", 1000)
* setInterval called with a String argument, e.g. setInterval("evil
string...", 1000)
* new Function constructor, e.g. var f = new Function("evil
string...")
See <https://wiki.mozilla.org/Security/CSP/Spec> for more details.
Michal,
do you know where in the 3.5 browser menus I can activate CSP?
--
Marc Delisle
http://infomarc.info