You are viewing a plain text version of this content. The canonical link for it is here.

Posted to commits@myfaces.apache.org by lo...@apache.org on 2013/08/12 09:15:02 UTC

svn commit: r1513058 - /myfaces/tobago/trunk/src/site/apt/migration-2.0.apt

Author: lofwyr
Date: Mon Aug 12 07:15:02 2013
New Revision: 1513058

URL: http://svn.apache.org/r1513058
Log:
add CSP hint

Modified:
    myfaces/tobago/trunk/src/site/apt/migration-2.0.apt

Modified: myfaces/tobago/trunk/src/site/apt/migration-2.0.apt
URL: http://svn.apache.org/viewvc/myfaces/tobago/trunk/src/site/apt/migration-2.0.apt?rev=1513058&r1=1513057&r2=1513058&view=diff
==============================================================================
--- myfaces/tobago/trunk/src/site/apt/migration-2.0.apt (original)
+++ myfaces/tobago/trunk/src/site/apt/migration-2.0.apt Mon Aug 12 07:15:02 2013
@@ -32,6 +32,17 @@ Artifacts (JAR-Files)
 
   * tobago-facelets-\<version\>.jar
 
+CSP
+
+  TODO
+
+  Tobago supports Content Security Policy (SCP) to prevent cross-site
+  scripting (XSS) and related attacks.
+  Specification link http://www.w3.org/TR/CSP/
+  In short: The HTML page doesn't contain any JavaScript or CSS information.
+  All allowed sources for JavaScript, CSS and other resources have to be declared in special header.
+  If you have own renderers or own JavaScript in your application, this code also needs to support SCP, to use this feature.
+
 Java-API
 
    The class org.apache.myfaces.tobago.model.TreeState which has been deprecated in 1.5.x is