On 10/08/09 19:50, Brandon Sterne wrote:
Working examples will be forthcoming as soon as we have Firefox builds
available which contain CSP.
We shouldn't need to wait for working builds to try and work out the
policies, should we? Although perhaps it would be a lot easier if you
could test them via trial and error.
Here's some possibilities for www.mozilla.org, based on the home page -
which does repost RSS headlines, so there's at least the theoretical
possibility of an injection. To begin with:
allow self; options inline-script;
would be a perfectly reasonable policy. The inline-script is required
because the Urchin tracker script appears to need kicking off using a
single line of inline script. If this could be avoided, you could remove
that second directive.
A tighter alternative would be:
allow none; options inline-script; img-src self; script-src self;
style-src self;
I used the Page Info tab on the home page to get lists of image URLs in
some categories. An add-on which did this for all CSP categories and
provided other help would definitely be useful.
(Note that mozilla.org is going through a redesign, so the new version
might require a different policy.)
I must say I do find myself automatically wanting to use colons (like
CSS) or equals signs in these directives...
Gerv
_______________________________________________
dev-security mailing list
[email protected]
https://lists.mozilla.org/listinfo/dev-security
