Security/Inline Scripts and Styles: Difference between revisions

Security/Inline Scripts and Styles (view source)

434 bytes added , 13 February 2014

again

Confirmed users

239

edits

@@ Line 12: / Line 12: @@
 == Goals & Non-Goals ==
 Cross-Site Scripting (XSS) and other content injections are a prevalent, yet very serious security issue for the web. But there is a way to make it less harmful: [https://developer.mozilla.org/en/docs/Security/CSP Content Security Policy (CSP)]. A content security policy is a list of allowed scripts, styles and other resources. Creating such a policy can disallow any kind of injected HTML to be harmful to the user. For CSP to understand which things are allowed and which are injected, everything has to live in its own document: An .html-file just for the HTML, a .css-file for stylesheets, a .js just for scripts and so on. This means, that there is quite a lot of code that requires to be rewritten.
+== Remaining bugs ==
+<bugzilla>
+{
+  "blocks": "923920",
+  "status": "NEW",
+  "whiteboard": "good first bug"
+}
+</bugzilla>
+<!--
+  Explanation of bugzilla query:
+* 923920 is the tracker. Every item should be listed as a blocker.
+* We only list "NEW" bugs, as ASSIGNED or RESOLVED is not ready to work on.
+* The whiteboard selection is used to exclude meta bugs (e.g., for SeaMonkey and DevTools) that hang below this tracker.
+-->
 == Identifying and changing inline code patterns ==