Confirmed users
239
edits
Security/Inline Scripts and Styles: Difference between revisions
Security/Inline Scripts and Styles (view source)
Revision as of 12:08, 17 January 2014
, 17 January 2014bugzilla bug list included
(examples) |
(bugzilla bug list included) |
||
| Line 11: | Line 11: | ||
== Goals & Non-Goals == | == Goals & Non-Goals == | ||
Cross-Site Scripting (XSS) and other content injections are a prevalent, yet very serious security issue for the web. But there is a way to make it less harmful: [https://developer.mozilla.org/en/docs/Security/CSP Content Security Policy (CSP)]. A content security policy is a list of allowed scripts, styles and other resources. Creating such a policy can disallow any kind of injected HTML to be harmful to the user. For CSP to understand which things are allowed and which are injected, everything has to live in its own document: An .html-file just for the HTML, a .css-file for stylesheets, a .js just for scripts and so on. This means, that there is quite a lot of code that requires to be rewritten. | Cross-Site Scripting (XSS) and other content injections are a prevalent, yet very serious security issue for the web. But there is a way to make it less harmful: [https://developer.mozilla.org/en/docs/Security/CSP Content Security Policy (CSP)]. A content security policy is a list of allowed scripts, styles and other resources. Creating such a policy can disallow any kind of injected HTML to be harmful to the user. For CSP to understand which things are allowed and which are injected, everything has to live in its own document: An .html-file just for the HTML, a .css-file for stylesheets, a .js just for scripts and so on. This means, that there is quite a lot of code that requires to be rewritten. | ||
== Remaining bugs == | |||
<bugzilla> | |||
{ | |||
"blocks": "923920", | |||
"status": "NEW" | |||
} | |||
</bugzilla> | |||
== Identifying and changing inline code patterns == | == Identifying and changing inline code patterns == | ||