Changes

Jump to: navigation, search

Security/CSP/Specification

483 bytes removed, 23:47, 8 March 2010
XBL bindings must come from chrome: or resource: URIs
===XBL bindings must come from chrome: or resource: URIs===
''NOTE: this is currently Firefox-Specific, but related behavior in other User Agents should also be limited.''
 
<font color="#a00">
* RestrictedUser Agents MUST block:
** XBL bindings loaded via any protocol other than chrome: or resource:
</font>
<font color="#060">
* AllowedUser Agents MUST not block:
** XBL bindings loaded via the chrome: or resource: protocols
</font>
* Justification:
** XBL is used to define the properties and behaviors of elements in HTML, XUL, and SVG documents from external files and as such is a vector for script injection.
** Requiring that XBL bindings be loaded from either the chrome: or resource: protocol ensures that the bindings are part of a package already installed on a user's system. This prevents script from arbitrary locations on the Web from being included in a document via CSS.
** Note: this restriction still enables user stylesheets to use XBL, custom browser add-on bindings to be referenced by web content, and chrome UI features to be implemented in XBL, e.g. &lt;video> controls.
* Vulnerability types mitigated:
*# Stylesheet script injection
*# Style attribute injection
User Agents MUST generate and send a violation report with the fields set appropriately when this base restriction is violated.
==Restrictions on policy-uri and report-uri==
Sidstamm
Canmove, confirm
1,537
edits
Retrieved from "https://wiki.mozilla.org/Special:MobileDiff/206843"

Navigation menu