Re: [Phpmyadmin-devel] Content Security Policy

2 Jul 2009


      Michal Čihař a écrit :
...
Hi all
you probably noticed that Firefox 3.5 is out and it comes with new way
how to protect against XSS called Content Security Policy.
Do you think it is worth implementing in phpMyAdmin? It would probably
mean changing of some parts of our code because it blocks following
things:
*  The contents of internal <script> nodes
* javascript: URIs, e.g. <a href="javascript:bad_stuff()">
* Event-handling attributes, e.g. <a onclick="bad_stuff()"> 
*  eval()
* setTimeout called with a String argument, e.g. setTimeout("evil
  string...", 1000)
* setInterval called with a String argument, e.g. setInterval("evil
  string...", 1000)
* new Function constructor, e.g. var f = new Function("evil
  string...")


See https://wiki.mozilla.org/Security/CSP/Spec for more details.
Michal,
do you know where in the 3.5 browser menus I can activate CSP?
-- 
Marc Delisle
http://infomarc.info

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

2005

2004

2003

2002

2001

Re: [Phpmyadmin-devel] Content Security Policy