W3C home > Mailing lists > Public > public-web-security@w3.org > February 2011

Re: CSP : inline functions ?

From: <sird@rckc.at>
Date: Wed, 23 Feb 2011 22:45:13 -0800
Message-ID: <AANLkTi=FmDNxgJtstr-=251UQFHcW66j-LQKFO+ffS0=@mail.gmail.com>
To: Devdatta Akhawe <dev.akhawe@gmail.com>
Cc: public-web-security@w3.org
humm that's still bad right?

location.replace(name+document.cookie) for example

If you wish to keep CSP safe, don't allow this =/

Greetz!!

PS. even if it's only users functions, something like $(name) in a
page with jquery is enough.


-- Eduardo




On Wed, Feb 23, 2011 at 7:52 PM, Devdatta Akhawe <dev.akhawe@gmail.com> wrote:
> Hi
>
> CSP currently blocks all inline scripts and we have seen a lot of
> discussion about it.
>
> Have we considered only allowing inline functions calls as a option --
> a middle ground between inline-scripts being enabled and disabled. I.E
>
> <script> function(arg1,arg2,arg3) </script>
>
> will be allowed inline, no other inline script execution will be
> allowed. You still won't be able to do <script> .. javascript ...
> </script>.
>
> The CSP spec at Mozilla
> (https://wiki.mozilla.org/Security/CSP/Specification) already makes a
> distinction between arbitrary code being eval'ed and function calls.
> For example, setTimeout is allowed with function names as arguments
> but not with strings. It seems this is similar.
>
> I feel like this simple change will make retrofitting legacy
> applications with CSP much easier.
>
> My apologies if this has already been proposed. It would be great if
> someone can point me to the discussion.
>
> cheers
> devdatta
>
>
Received on Thursday, 24 February 2011 06:46:06 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Thursday, 24 February 2011 06:46:09 GMT