W3C home > Mailing lists > Public > public-web-security@w3.org > February 2011

CSP : inline functions ?

From: Devdatta Akhawe <dev.akhawe@gmail.com>
Date: Wed, 23 Feb 2011 19:52:17 -0800
Message-ID: <AANLkTi=OAkXGg+4g8=iqFzVAYrsp98mE+jET8pzk-mUv@mail.gmail.com>
To: public-web-security@w3.org
Hi

CSP currently blocks all inline scripts and we have seen a lot of
discussion about it.

Have we considered only allowing inline functions calls as a option --
a middle ground between inline-scripts being enabled and disabled. I.E

<script> function(arg1,arg2,arg3) </script>

will be allowed inline, no other inline script execution will be
allowed. You still won't be able to do <script> .. javascript ...
</script>.

The CSP spec at Mozilla
(https://wiki.mozilla.org/Security/CSP/Specification) already makes a
distinction between arbitrary code being eval'ed and function calls.
For example, setTimeout is allowed with function names as arguments
but not with strings. It seems this is similar.

I feel like this simple change will make retrofitting legacy
applications with CSP much easier.

My apologies if this has already been proposed. It would be great if
someone can point me to the discussion.

cheers
devdatta
Received on Thursday, 24 February 2011 03:53:09 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Thursday, 24 February 2011 03:53:11 GMT