top | item 10997720

(no title)

briandh | 10 years ago

> if you have a secure enough content security policy (and the browser in question supports it properly) it will be impossible for an attacker to execute their inserted Javascript

I don't follow your reasoning. Why wouldn't an MITM attacker modifying an HTTP response body to insert rogue Javascript also be able to modify the response headers to strip or alter the Content Security Policy?

discuss

andy_ppp|10 years ago

Good point about MITM attacks; I assumed that we were talking about cross site scripting (XSS), but I suppose you are right.

I still am willing to bet that SSL is not impossible to MITM. Someone will manage to find a flaw in such a complex system.