[Phpmyadmin-devel] Content Security Policy
Herman van Rink
rink at initfour.nl
Thu Jul 2 16:42:47 CEST 2009
Michal Čihař wrote:
> Hi all
>
> you probably noticed that Firefox 3.5 is out and it comes with new way
> how to protect against XSS called Content Security Policy.
>
> Do you think it is worth implementing in phpMyAdmin? It would probably
> mean changing of some parts of our code because it blocks following
> things:
>
> * The contents of internal <script> nodes
> * javascript: URIs, e.g. <a href="javascript:bad_stuff()">
> * Event-handling attributes, e.g. <a onclick="bad_stuff()">
> * eval()
> * setTimeout called with a String argument, e.g. setTimeout("evil
> string...", 1000)
> * setInterval called with a String argument, e.g. setInterval("evil
> string...", 1000)
> * new Function constructor, e.g. var f = new Function("evil
> string...")
>
Since we use quite a number of onclick="" attributes it would take
considerable effort to implement this.
I do not expect this to be implemented in all browsers any-time soon,
since it currently is an FF only feature, and thus we still have to be
very careful with properly sanitising all output.
Therefore I see this as a possible long term goal, and something to
think about when writing new code.
--
Met vriendelijke groet / Regards,
Herman van Rink
Initfour websolutions
More information about the Developers
mailing list