[Phpmyadmin-devel] Content Security Policy
Michal Čihař
michal at cihar.com
Thu Jul 2 10:24:39 CEST 2009
Hi all
you probably noticed that Firefox 3.5 is out and it comes with new way
how to protect against XSS called Content Security Policy.
Do you think it is worth implementing in phpMyAdmin? It would probably
mean changing of some parts of our code because it blocks following
things:
* The contents of internal <script> nodes
* javascript: URIs, e.g. <a href="javascript:bad_stuff()">
* Event-handling attributes, e.g. <a onclick="bad_stuff()">
* eval()
* setTimeout called with a String argument, e.g. setTimeout("evil
string...", 1000)
* setInterval called with a String argument, e.g. setInterval("evil
string...", 1000)
* new Function constructor, e.g. var f = new Function("evil
string...")
See <https://wiki.mozilla.org/Security/CSP/Spec> for more details.
--
Michal Čihař | http://cihar.com | http://phpmyadmin.cz
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 197 bytes
Desc: not available
URL: <http://lists.phpmyadmin.net/pipermail/developers/attachments/20090702/12112dff/attachment.sig>
More information about the Developers
mailing list