W3C home > Mailing lists > Public > public-web-security@w3.org > February 2011

Re: JavaScript URLs and script-src nit

From: Collin Jackson <collin.jackson@sv.cmu.edu>
Date: Sat, 19 Feb 2011 05:19:17 +0000
Message-ID: <AANLkTinU4+YMZ=R+zsSRK8bS3W2x2qdCPs0HCy4=nT0H@mail.gmail.com>
To: Daniel Veditz <dveditz@mozilla.com>
Cc: public-web-security@w3.org
I think bundling the inline script blocking functionality with the
script-src directive makes a lot of sense. It's confusing to have some
security features that are on by default and others that you have to
turn on manually. The empty policy should have no effect.

On Sat, Feb 19, 2011 at 5:14 AM, Daniel Veditz <dveditz@mozilla.com> wrote:
> On 2/18/11 9:00 PM, Adam Barth wrote:
>> I'm suggesting that we trigger disabling inline-scripts and JavaScript
>> URLs on the presence of script-src (regardless of the value of the
>> script-src directive) or of another directive (e.g., default-src) that
>> implies script-src.
>
> And I'm suggesting that inline scripts and javascript: urls are the
> predominant source of XSS and should be banned outright.
> CSP-implementing user agents may provide a way to turn those feature
> back on if they wish. Neither has much to do with the src of a
> script tag.
>
> -Dan Veditz
>
>
Received on Saturday, 19 February 2011 05:21:09 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Saturday, 19 February 2011 05:21:09 GMT