Couldn't this be simple solved with X-Content-Security-Policy header in order to... | Hacker News

Hacker Newsnew | past | comments | ask | show | jobs | submit

		phatbyte on Oct 21, 2011 \| parent \| context \| favorite \| on: CNN, NYTimes, Mashable all vulnerable to XSS Couldn't this be simple solved with X-Content-Security-Policy header in order to prevent non-authorized domains to run objects on the site ?

tptacek on Oct 21, 2011 [–]

When most browsers support CSP, maybe. Most don't today.

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact