Security/CSP/Specification: Difference between revisions

Security/CSP/Specification (view source)

483 bytes removed , 8 March 2010

canmove, Confirmed users

1,537

edits

@@ Line 349: / Line 349: @@
 ===XBL bindings must come from chrome: or resource: URIs===
+''NOTE: this is currently Firefox-Specific, but related behavior in other User Agents should also be limited.''
 <font color="#a00">
-* Restricted:
+* User Agents MUST block:
 ** XBL bindings loaded via any protocol other than chrome: or resource:
 </font>
 <font color="#060">
-* Allowed:
+* User Agents MUST not block:
 ** XBL bindings loaded via the chrome: or resource: protocols
 </font>
-* Justification:
-** XBL is used to define the properties and behaviors of elements in HTML, XUL, and SVG documents from external files and as such is a vector for script injection.
-** Requiring that XBL bindings be loaded from either the chrome: or resource: protocol ensures that the bindings are part of a package already installed on a user's system. This prevents script from arbitrary locations on the Web from being included in a document via CSS.
-** Note: this restriction still enables user stylesheets to use XBL, custom browser add-on bindings to be referenced by web content, and chrome UI features to be implemented in XBL, e.g. &lt;video> controls.
-* Vulnerability types mitigated:
-*# Stylesheet script injection
-*# Style attribute injection
+User Agents MUST generate and send a violation report with the fields set appropriately when this base restriction is violated.
 ==Restrictions on policy-uri and report-uri==