Security/CSP/Deploying: Difference between revisions

Jump to navigation Jump to search

Security/CSP/Deploying (view source)

Revision as of 21:43, 14 August 2009

88 bytes added ,  14 August 2009
→‎javascript: URIs
Line 43: Line 43:


=== <b><tt>javascript:</tt> URIs</b> ===
=== <b><tt>javascript:</tt> URIs</b> ===
; The Problem : URIs that use the <tt>javascript</tt> scheme are another popular method to inject and run arbitrary script on a web page.  Like inline script, these can be injected into html tags causing arbitrary script execution, so CSP disables <tt>javascript:</tt> URIs.
; The Problem : URIs that use the <tt>javascript</tt> scheme are another popular method to inject and run arbitrary script on a web page.  Like inline script, these can be injected into html tags causing arbitrary script execution, so CSP disables <tt>javascript:</tt> URIs, including in clickable resources (i.e., where CSP doesn't filter links to other sites).
; General Solution : If <tt>javascript:</tt> URIs are used in your web site, they can often be converted to script-initiated code.  Common uses of such URIs are:
; General Solution : If <tt>javascript:</tt> URIs are used in your web site, they can often be converted to script-initiated code.  Common uses of such URIs are:
* ''TODO: list cases''
* ''TODO: list cases''
Sidstamm
canmove, Confirmed users
1,537

edits

Retrieved from "https://wiki.mozilla.org/Special:MobileDiff/162186"

Navigation menu