W3C home > Mailing lists > Public > public-web-security@w3.org > February 2011

Re: CSP : inline functions ?

From: Devdatta Akhawe <dev.akhawe@gmail.com>
Date: Thu, 24 Feb 2011 10:20:22 -0800
Message-ID: <AANLkTiktsSz5GNxzNcBxw+6bx5ydfH6LRk+NFY60bbux@mail.gmail.com>
To: "sird@rckc.at" <sird@rckc.at>
Cc: public-web-security@w3.org
Yes. My concern is that right now, sites either have to enable all
inline scripts or disable it all. I was thinking this might be a
middle ground (restrained to user defined functions only). The jquery
example you give below is just one specific example of lots of
problems that could occur even if only user defined functions are
allowed.

But I feel like there is atleast some security benefit of this over
enabling all inline scripts. I might be wrong on that count.

=devdatta

On 23 February 2011 22:45, sird@rckc.at <sird@rckc.at> wrote:
> humm that's still bad right?
>
> location.replace(name+document.cookie) for example
>
> If you wish to keep CSP safe, don't allow this =/
>
> Greetz!!
>
> PS. even if it's only users functions, something like $(name) in a
> page with jquery is enough.
>
>
> -- Eduardo
>
>
>
>
> On Wed, Feb 23, 2011 at 7:52 PM, Devdatta Akhawe <dev.akhawe@gmail.com> wrote:
>> Hi
>>
>> CSP currently blocks all inline scripts and we have seen a lot of
>> discussion about it.
>>
>> Have we considered only allowing inline functions calls as a option --
>> a middle ground between inline-scripts being enabled and disabled. I.E
>>
>> <script> function(arg1,arg2,arg3) </script>
>>
>> will be allowed inline, no other inline script execution will be
>> allowed. You still won't be able to do <script> .. javascript ...
>> </script>.
>>
>> The CSP spec at Mozilla
>> (https://wiki.mozilla.org/Security/CSP/Specification) already makes a
>> distinction between arbitrary code being eval'ed and function calls.
>> For example, setTimeout is allowed with function names as arguments
>> but not with strings. It seems this is similar.
>>
>> I feel like this simple change will make retrofitting legacy
>> applications with CSP much easier.
>>
>> My apologies if this has already been proposed. It would be great if
>> someone can point me to the discussion.
>>
>> cheers
>> devdatta
>>
>>
>
Received on Thursday, 24 February 2011 18:21:16 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Thursday, 24 February 2011 18:21:18 GMT