Summary: Content Security Policy (CSP)
           Product: MediaWiki
           Version: wikimedia-deployment
          Platform: All
        OS/Version: All
            Status: NEW
          Severity: enhancement
          Priority: Normal
         Component: Javascript

Coming in Firefox 4

"Content Security Policy (CSP) is an added layer of security that helps to
detect and mitigate certain types of attacks, including Cross Site Scripting
(XSS) and data injection attacks."

"Enabling CSP is as easy as configuring your web server to return the
X-Content-Security-Policy HTTP header."

Example of change required:
* User Agents MUST block:
o The contents of internal <script> nodes
o javascript: URIs, e.g. <a href="javascript:bad_stuff()"> (unless enabled by
o Event-handling attributes, e.g. <a onclick="bad_stuff()">

* User Agents MUST NOT block:
o Scripts imported from external files whose sources are allowed by the
protected document's policy AND are served with a Content-Type of
application/javascript or application/json. 

Jumping on the band wagon:

"+ [core] Include Content Security Policy HTTP headers."

MantisBT bugtracking
"As Firefox 4 has been pushed back to early 2011 we have more time to finish
off the implementation of X-Content-Security-Policy within MantisBT."

Configure bugmail:
------- You are receiving this mail because: -------
You are on the CC list for the bug.

Wikibugs-l mailing list

Reply via email to