Security/CSP/Deploying: Difference between revisions

Jump to navigation Jump to search

Security/CSP/Deploying (view source)

Revision as of 21:48, 2 July 2009

338 bytes added ,  2 July 2009
→‎Removing Inline Scripts
mNo edit summary
Line 10: Line 10:


Inline scripts are more easily injected into a site than their externally sourced counterparts.  This is a side effect of mixing code and content.
Inline scripts are more easily injected into a site than their externally sourced counterparts.  This is a side effect of mixing code and content.
=== <b><tt>&lt;script&gt;</tt> tags with text child nodes</b> ===
=== <b><tt>javascript:</tt> URIs</b> ===
=== <b>Event handling attributes in HTML tags</b> ===
There are many HTML [http://www.w3.org/TR/html5/browsers.html#event-handler-attributes-0 event handling attributes] (on*) that can contain strings to be evaluated as script.


== Removing "eval()"-like features ==
== Removing "eval()"-like features ==
Sidstamm
canmove, Confirmed users
1,537

edits

Retrieved from "https://wiki.mozilla.org/Special:MobileDiff/153321"

Navigation menu