W3C home > Mailing lists > Public > public-web-security@w3.org > February 2011

Re: CSP : inline functions ?

From: Devdatta Akhawe <dev.akhawe@gmail.com>
Date: Thu, 24 Feb 2011 21:04:50 -0800
Message-ID: <AANLkTimQD9WpmerCcNt+ES4io-N-FewvLyKWrnF2o7Sh@mail.gmail.com>
To: gaz Heyes <gazheyes@gmail.com>
Cc: Daniel Veditz <dveditz@mozilla.com>, public-web-security@w3.org
> Trouble is "important_variable" could be tainted with malicious data and the
> user defined function might use it in some way with a DOM function and if
> your user defined function can't use the DOM or anything then what use is
> the user defined function?

Yes. I am not saying it won't have problems. But with the rest of the
CSP lockdowns (limits on external scripts being sourced, limits on no
arbitrary inline scripts), it might be that the amount of bad things
attacker can do is limited.

For example, even with the full-inline-scripts-totally-off-CSP
switched on, a page could still have broken javascript that is
vulnerable to DOM based XSS -- the hope is that with CSP the amount of
badness that the DOM based XSS could achieve is limited.

=devdatta
Received on Friday, 25 February 2011 06:00:56 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Friday, 25 February 2011 06:00:58 GMT