W3C home > Mailing lists > Public > public-web-security@w3.org > February 2011

Re: JavaScript URLs and script-src nit

From: Daniel Veditz <dveditz@mozilla.com>
Date: Fri, 18 Feb 2011 21:14:32 -0800
Message-ID: <4D5F51B8.7010805@mozilla.com>
To: public-web-security@w3.org
On 2/18/11 9:00 PM, Adam Barth wrote:
> I'm suggesting that we trigger disabling inline-scripts and JavaScript
> URLs on the presence of script-src (regardless of the value of the
> script-src directive) or of another directive (e.g., default-src) that
> implies script-src.

And I'm suggesting that inline scripts and javascript: urls are the
predominant source of XSS and should be banned outright.
CSP-implementing user agents may provide a way to turn those feature
back on if they wish. Neither has much to do with the src of a
script tag.

-Dan Veditz
Received on Saturday, 19 February 2011 05:15:43 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Saturday, 19 February 2011 05:15:43 GMT