@bz_moz regarding CSP disabling `javascript:` links…do bookmarklets *have* to be disabled? no way to distinguish and trust only them?
-
-
Replying to @really_bz
@bz_moz The UA agent can know where the script comes from (click in chrome) and decide to run it, no?@getify1 reply 0 retweets 0 likes -
Replying to @DavidBruant
@DavidBruant@getify In theory, sure. In practice, Gecko doesn't know that at the point where CSP is enforced.2 replies 0 retweets 0 likes -
Replying to @really_bz
@bz_moz@davidbruant FF was "going to try to get them working again" back in 2009. never happened, i surmise. https://blog.mozilla.org/security/2009/06/19/shutting-down-xss-with-content-security-policy/#comment-105895 …1 reply 0 retweets 0 likes
Replying to @DavidBruant
@DavidBruant @getify Yep. And fixing this needs either rewriting how CSP hooks into Gecko or major Gecko API changes, so...
3:45 PM - 8 Jan 2014
0 replies
0 retweets
0 likes
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.