On Sun, 2011-06-05 at 11:03 +0200, Jakub Narebski wrote: > In the future however it might be better solution for gitweb to implement > (as an option) support for CSP (Content Security Policy), which IIRC did > not exists in 2009, in addition to current $prevent_xss. Sure. CSP is not a substitute for designing to prevent harmful HTML injection, but a mitigation for some of its worst effects in case some injection points are overlooked. There's no reason not to enable it by default with $prevent_xss, though third parties adding functionality to gitweb would need to know to disable it or modify the policy accordingly. -- Matt -- To unsubscribe from this list: send the line "unsubscribe git" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html