Re: JavaScript URLs and script-src nit

On 2/18/11 9:00 PM, Adam Barth wrote:
> I'm suggesting that we trigger disabling inline-scripts and JavaScript
> URLs on the presence of script-src (regardless of the value of the
> script-src directive) or of another directive (e.g., default-src) that
> implies script-src.

And I'm suggesting that inline scripts and javascript: urls are the
predominant source of XSS and should be banned outright.
CSP-implementing user agents may provide a way to turn those feature
back on if they wish. Neither has much to do with the src of a
script tag.

-Dan Veditz

Received on Saturday, 19 February 2011 05:15:43 UTC