W3C home > Mailing lists > Public > public-web-security@w3.org > February 2011

Re: CSP : inline functions ?

From: gaz Heyes <gazheyes@gmail.com>
Date: Fri, 25 Feb 2011 02:07:55 +0000
Message-ID: <AANLkTik494qMfLBA3_210tB-cXLaF+vP2aZEM=fV213i@mail.gmail.com>
To: Devdatta Akhawe <dev.akhawe@gmail.com>
Cc: public-web-security@w3.org
On 24 February 2011 03:52, Devdatta Akhawe <dev.akhawe@gmail.com> wrote:

> Have we considered only allowing inline functions calls as a option --
> a middle ground between inline-scripts being enabled and disabled. I.E
>

Inline scripts with object/functions whitelists might be better. By default
innerHTML, document.write, DOM methods etc could be turned off. Then the
policy could allow "alert", "prompt" etc, user definable functions should be
ok too provided that the whitelist is inherited. CSP could even proxy stuff
like document.write/innerHTML to return only safe sanitized output.
Received on Friday, 25 February 2011 02:08:27 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Friday, 25 February 2011 02:08:30 GMT