https://bugzilla.wikimedia.org/show_bug.cgi?id=26508
Hendrik Brummermann <[email protected]> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |[email protected] --- Comment #3 from Hendrik Brummermann <[email protected]> 2011-12-10 14:31:52 UTC --- The first step is to remove all JavaScript that is embedded into the HTML output by the MediaWiki core via inline script-tags or "on"-attributes. Most inline javascript is created while the HTML page is rendered and contains data that is specific to the current page. This data can be stored in data-attributes for HTML 5 and attributes in a non-html namespace for XHTML. Once the MediaWiki core supports CSP, there could be a user option to enable unsave scripting. And a function for extensions to add unsave-inline, unsave-eval or urls to the whitelist. At the beginning of this year -when this feature request was made- only Firefox supported CSP. But among Webkit based browsers, even the latest preview of Internet Explorer 10 supports it now. The current draft of the specification is at: https://dvcs.w3.org/hg/content-security-policy/raw-file/tip/csp-specification.dev.html -- Configure bugmail: https://bugzilla.wikimedia.org/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are the assignee for the bug. You are on the CC list for the bug. _______________________________________________ Wikibugs-l mailing list [email protected] https://lists.wikimedia.org/mailman/listinfo/wikibugs-l
