Hi, I was thinking.. Should there be a way to protect us from Cross-Zone Scripting (i.e. somebody XSSing privileged pages and thus being able to execute arbitrary commands) by applying CSP to internal pages?
There were and probably will be XSS bugs in some of parts of our browser part that is heavily using HTML and JavaScript. Currently I'm thinking about previous bugs like MSFA2013-52 [1] and MSFA2012-95 [2], where a content page was able to inject scripts into chrome. While a few pages like about:memory use inline JavaScript, I think this could be easily rewritten. The only question that remains, is how hard is it to apply a CSP to non-HTTP documents and XUL documents (like about:newtab)? Cheers, Freddy [1] http://www.mozilla.org/security/announce/2013/mfsa2013-52.html [2] http://www.mozilla.org/security/announce/2012/mfsa2012-95.html _______________________________________________ dev-security mailing list dev-security@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security