Re: CSP : inline functions ?

On 24 February 2011 03:52, Devdatta Akhawe <dev.akhawe@gmail.com> wrote:

> Have we considered only allowing inline functions calls as a option --
> a middle ground between inline-scripts being enabled and disabled. I.E
>

Inline scripts with object/functions whitelists might be better. By default
innerHTML, document.write, DOM methods etc could be turned off. Then the
policy could allow "alert", "prompt" etc, user definable functions should be
ok too provided that the whitelist is inherited. CSP could even proxy stuff
like document.write/innerHTML to return only safe sanitized output.

Received on Friday, 25 February 2011 02:08:27 UTC