[Phpmyadmin-devel] Content Security Policy

Herman van Rink rink at initfour.nl
Thu Jul 2 16:42:47 CEST 2009


Michal Čihař wrote:
> Hi all
>
> you probably noticed that Firefox 3.5 is out and it comes with new way
> how to protect against XSS called Content Security Policy.
>
> Do you think it is worth implementing in phpMyAdmin? It would probably
> mean changing of some parts of our code because it blocks following
> things:
>
>     *  The contents of internal <script> nodes
>     * javascript: URIs, e.g. <a href="javascript:bad_stuff()">
>     * Event-handling attributes, e.g. <a onclick="bad_stuff()"> 
>     *  eval()
>     * setTimeout called with a String argument, e.g. setTimeout("evil
>       string...", 1000)
>     * setInterval called with a String argument, e.g. setInterval("evil
>       string...", 1000)
>     * new Function constructor, e.g. var f = new Function("evil
>       string...")
>   

Since we use quite a number of onclick="" attributes  it would take
considerable effort to implement this.
I do not expect this to be implemented in all browsers any-time soon,
since it currently is an FF only feature, and thus we still have to be
very careful with properly sanitising all output.

Therefore I see this as a possible long term goal, and something to
think about when writing new code.

-- 
Met vriendelijke groet / Regards,

Herman van Rink 
Initfour websolutions






More information about the Developers mailing list