[Phpmyadmin-devel] Content Security Policy

Marc Delisle marc at infomarc.info
Thu Jul 2 13:15:02 CEST 2009


Michal Čihař a écrit :
> Hi all
> 
> you probably noticed that Firefox 3.5 is out and it comes with new way
> how to protect against XSS called Content Security Policy.
> 
> Do you think it is worth implementing in phpMyAdmin? It would probably
> mean changing of some parts of our code because it blocks following
> things:
> 
>     *  The contents of internal <script> nodes
>     * javascript: URIs, e.g. <a href="javascript:bad_stuff()">
>     * Event-handling attributes, e.g. <a onclick="bad_stuff()"> 
>     *  eval()
>     * setTimeout called with a String argument, e.g. setTimeout("evil
>       string...", 1000)
>     * setInterval called with a String argument, e.g. setInterval("evil
>       string...", 1000)
>     * new Function constructor, e.g. var f = new Function("evil
>       string...")
> 
> See <https://wiki.mozilla.org/Security/CSP/Spec> for more details.

Michal,
do you know where in the 3.5 browser menus I can activate CSP?


-- 
Marc Delisle
http://infomarc.info




More information about the Developers mailing list