id,summary,reporter,owner,description,type,status,priority,milestone,component,version,resolution,keywords,cc 8584,Support Content Security Policy,nhnb,,"Content Security Policy is a W3D draft aiming to prevent the exploitation of XSS vulnerabilities. It prevents the execution of JavaScript that is directly embedded into HTML code via an inline script element, on-attributes and javascript:-urls. Only external javascript files from a whitelisted domain are executed. CSP is supported by Firefox since version 4.0 and by the current development versions of webkit. Event the Internet Explorer 10 preview has basic support for CSP. The main usecsae of CKEditor is to allow users to edit HTML code, which causes a non zero risk of XSS vulnerabilities in either CKEditor itself or the surrounding website. CSP support would be very helpful to mitigate these risks. Steps to reproduce ------------------- 1. Create a website which uses CKEditor 2. Add the following HTTP-Response header. In PHP this is done using the ""header"" function: X-Content-Security-Policy: default-src 'self' 3. Open the page in Firefox > 4.0 Expected Result --------------- CKEditor should work, assuming that it was installed on the same domain as the webpage. The Firebug extension for Firefox is very helpful because it will list all the violations of the CSP.",New Feature,confirmed,Normal,,General,,,VendorFix,rb@… kevincox@… enumag@…