MozillaWiki

SecurityEngineering/CSP Radar: Difference between revisions

Page Discussion

SecurityEngineering/CSP Radar (view source)

Revision as of 01:29, 29 June 2013

364 bytes removed ,  29 June 2013
→‎Issues
Line 28: Line 28:
* P? - (non CSP spec) - script-hash ?
* P? - (non CSP spec) - script-hash ?


= Issues =
= Things To Do ? =
* should inline scripts/eval be blocked if neither script-src or default-src are present ?
** this is so you can do e.g. csp sandbox or frame-options without blocking scripts
** adam's view is that if you don't opt into script restrictions by specifying default-src or script-src scripts shouldn't be blocked
** filed https://bugzilla.mozilla.org/show_bug.cgi?id=885433
* script-nonce / script-hash (CSP 1.1)
* script-nonce / script-hash (CSP 1.1)
* paths (CSP 1.1)
* paths (CSP 1.1)
Line 38: Line 34:
* anything else from CSP 1.1 or UI Safety specs ?  
* anything else from CSP 1.1 or UI Safety specs ?  
* frame-options (pretty much == frame-ancestors)
* frame-options (pretty much == frame-ancestors)
* redirects / general nsIContentPolicy issue ?
* redirects / general nsIContentPolicy issue ?


= ACTIONS =
= ACTIONS =
Imelven
Confirmed users
197

edits

Retrieved from "https://wiki.allizom.org/Special:MobileDiff/671494"