[TYPO3-dev] protecting TYPO3 against cross-site scripting and click-jacking attacks ?
Helmut Hummel
helmut.hummel at typo3.org
Sun Apr 17 19:09:40 CEST 2011
Hi,
On 17.04.11 17:36, Kay Strobach wrote:
> 4.5 has a xss form protection with a special token.
Not really. It has a XSRF (or CSRF) protection.
While XSS[1], CSRF[2] and ClickJacking[3] are somehow related
vulnerabilities, they still are different.
While Content Security Policy is helpful against XSS and ClickJacking,
it does not help against CSRF. But protection against the latter is
implemented in 4.5. Integration of CSP for 4.6 would be nice, but also
not very easy.
Kind regards,
Helmut
[1]https://www.owasp.org/index.php/XSS
[2]https://www.owasp.org/index.php/Cross-Site_Request_Forgery_(CSRF)
[3]https://www.owasp.org/index.php/Clickjacking
--
Helmut Hummel
TYPO3 Security Team Leader, TYPO3 v4 Core Team Member
TYPO3 .... inspiring people to share!
Get involved: typo3.org
More information about the TYPO3-dev
mailing list