From @Mithgol on Tue Sep 15 2015 06:59:42 GMT+0000 (UTC)
According to the Open Web Application Security Project, XSS (cross-site scripting) was the third most common Web app vulnerability in 2013.
The current security measures against XSS (such as same-origin policy or content security policy) rely on the centralized nature of the Web, e.g. different domain names mean different ownership of hostnames and thus some types of access are restricted (unless some CSP or CORS settings explicitly say otherwise).
They won’t be effective in IPFS where all data seems to have the same hostname (of its Web gate such as
ipfs.io) or becomes a part of the local filesystem.
Then what can be done to prevent XSS attacks against IPFS sites?
Copied from original issue: https://github.com/ipfs/faq/issues/32