[Phpmyadmin-devel] Content Security Policy
Marc Delisle
marc at infomarc.info
Thu Jul 2 13:15:02 CEST 2009
Michal Čihař a écrit :
> Hi all
>
> you probably noticed that Firefox 3.5 is out and it comes with new way
> how to protect against XSS called Content Security Policy.
>
> Do you think it is worth implementing in phpMyAdmin? It would probably
> mean changing of some parts of our code because it blocks following
> things:
>
> * The contents of internal <script> nodes
> * javascript: URIs, e.g. <a href="javascript:bad_stuff()">
> * Event-handling attributes, e.g. <a onclick="bad_stuff()">
> * eval()
> * setTimeout called with a String argument, e.g. setTimeout("evil
> string...", 1000)
> * setInterval called with a String argument, e.g. setInterval("evil
> string...", 1000)
> * new Function constructor, e.g. var f = new Function("evil
> string...")
>
> See <https://wiki.mozilla.org/Security/CSP/Spec> for more details.
Michal,
do you know where in the 3.5 browser menus I can activate CSP?
--
Marc Delisle
http://infomarc.info
More information about the Developers
mailing list