[Phpmyadmin-devel] Content Security Policy
Marc Delisle
marc at infomarc.info
Thu Jul 2 16:49:42 CEST 2009
Herman van Rink a écrit :
> Michal Čihař wrote:
>> Hi all
>>
>> you probably noticed that Firefox 3.5 is out and it comes with new way
>> how to protect against XSS called Content Security Policy.
>>
>> Do you think it is worth implementing in phpMyAdmin? It would probably
>> mean changing of some parts of our code because it blocks following
>> things:
>>
>> * The contents of internal <script> nodes
>> * javascript: URIs, e.g. <a href="javascript:bad_stuff()">
>> * Event-handling attributes, e.g. <a onclick="bad_stuff()">
>> * eval()
>> * setTimeout called with a String argument, e.g. setTimeout("evil
>> string...", 1000)
>> * setInterval called with a String argument, e.g. setInterval("evil
>> string...", 1000)
>> * new Function constructor, e.g. var f = new Function("evil
>> string...")
>>
>
> Since we use quite a number of onclick="" attributes it would take
> considerable effort to implement this.
> I do not expect this to be implemented in all browsers any-time soon,
> since it currently is an FF only feature, and thus we still have to be
> very careful with properly sanitising all output.
>
> Therefore I see this as a possible long term goal, and something to
> think about when writing new code.
>
Agreed; also the CSP document itself from Mozilla scares me with lots of
options and policies to decide about.
--
Marc Delisle
http://infomarc.info
More information about the Developers
mailing list