Michael A. Peters napsal(a):
Martin Zvarík wrote:
What's the point?
The point is detailed on the (not fully complete) description page I
just put up -
http://www.clfsrpm.net/xss/
Yeah, I just had a quick look...
"The browser will only execute script in source files from the
white-listed domains and will disregard everything else, including
embedded and inline scripts. "
wtf, can't you just take care of the INPUT and type
strip_tags($_GET['my_name']) ??
This won't be implemented in any browser, can't be.
Namely, a lot of people who have web sites do not have the technical
capability to prevent their site from being used as an XSS vector to
attack other people.
By setting a simple security policy, browsers that implement CSP can
see that something funny is being tried because the web site has
instructed the browser it will not try to do that action from that
domain.
By implementing CSP server side, even users without CSP enabled
browsers (just about everyone currently) will have some measure of
protection.
That's the point.
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
