On Tue, Sep 6, 2011 at 5:41 AM, Alexandros Vellis <avel@...> wrote:
> There is a new method for providing an extra layer of security against
> XSS, which uses a set of HTTP headers to provide content restrictions
> and policy directives.
> For something like this to apply in squirrelmail, there is a need for
> In my opinion it is worth the effort.
It'd be nice to think we could wash away all our XSS fears and
problems with a solution like this, but we'd still need to stay on top
of things for those using browsers without such support.
Additionally, "the effort" may or may not be substantial.
We'd need to keep in mind that many plugins are only able to do what
probably some ways around this (require all plugins to add script tags
in the page header and add a hook for the onload event they can add to
or the likes, but I can imagine this being fairly problematic in more
than a few cases.
It'd be interesting to play with, but would need to be configurable so
admins can turn it off to be able to use incompatible plugins, etc.
Please support Open Source Software by donating to SquirrelMail!