W3C home > Mailing lists > Public > public-web-security@w3.org > February 2011

Re: JavaScript URLs and script-src nit

From: Daniel Veditz <dveditz@mozilla.com>
Date: Fri, 18 Feb 2011 20:46:39 -0800
Message-ID: <4D5F4B2F.6010009@mozilla.com>
To: public-web-security@w3.org
On 2/18/11 6:09 PM, Adam Barth wrote:
> In the Mozilla CSP spec, the presence of any Content-Security-Policy
> at all triggers blocking of JavaScript URL.

Because it's a form of inline-script, and inline-scripts are blocked
by the mere presence of CSP. Like inline-scripts, however, not
everyone is ready to give them up so we added a hack^H^H^H^Hoverride
that lets people turn them back on. The "script-src" directive isn't
the best place for them because people rarely write "<script
src=javascript:code>". Most often they appear as links, which aren't
otherwise covered by the current CSP proposal.

Maybe that argues that the javascript: override ought to be in the
"options" directive alongside inline-scripts.

 Like inline-scripts we wanted the presence of a CSP to opt-in to a
more rigorous web regime that outlawed such things

> IMHO, the empty CSP policy (e.g., "") shouldn't have any effects.

At what point do you disable inline-scripts then? If inline-scripts
aren't disabled by default there isn't a whole lot of point to CSP
in my opinion.

-Dan Veditz
Received on Saturday, 19 February 2011 04:48:09 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Saturday, 19 February 2011 04:48:11 GMT