Security/CSP/Deploying: Difference between revisions

Jump to navigation Jump to search

Security/CSP/Deploying (view source)

Revision as of 23:24, 17 August 2009

97 bytes added ,  17 August 2009
m
→‎javascript: URIs
Line 45: Line 45:
; The Problem : URIs that use the <tt>javascript</tt> scheme are another popular method to inject and run arbitrary script on a web page.  Like inline script, these can be injected into html tags causing arbitrary script execution, so CSP disables <tt>javascript:</tt> URIs, including in clickable resources (i.e., where CSP doesn't filter links to other sites).
; The Problem : URIs that use the <tt>javascript</tt> scheme are another popular method to inject and run arbitrary script on a web page.  Like inline script, these can be injected into html tags causing arbitrary script execution, so CSP disables <tt>javascript:</tt> URIs, including in clickable resources (i.e., where CSP doesn't filter links to other sites).
; General Solution : If <tt>javascript:</tt> URIs are used in your web site, they can often be converted to script-initiated code.  Common uses of such URIs are:
; General Solution : If <tt>javascript:</tt> URIs are used in your web site, they can often be converted to script-initiated code.  Common uses of such URIs are:
* ''TODO: list cases''
* <tt>href</tt> attribute of anchor tag (link)
* <tt>action</tt> attribute of an HTML form
* ''TODO: list other cases''
; Conversion Steps:
; Conversion Steps:
* ''TODO: on case-by-case basis''
* ''TODO: on case-by-case basis''
Sidstamm
canmove, Confirmed users
1,537

edits

Retrieved from "https://wiki.mozilla.org/Special:MobileDiff/162551"

Navigation menu