XSS Follow-Ups
August 7th, 2007
Sam Ruby started a wiki page on the matter. I love low-overhead standardization.
Joe Walker suggested a SameRefererOnly cookie field.
In the bug, Jonas has suggested that we back the proposed Content Restriction header with an implementation that doesn’t rely on whitelists, but instead disables scripting on a DOM subtree. This would be much easier for us to implement, at least initially, but I wonder how easy it would be for others to standardize. It also has issues if the user saves to disk. I still need to examine what happens if a script imports the DOM into another document.