W3C home > Mailing lists > Public > public-web-security@w3.org > February 2011

Re: CSP : inline functions ?

From: Daniel Veditz <dveditz@mozilla.com>
Date: Thu, 24 Feb 2011 22:10:33 -0800
Message-ID: <4D6747D9.6030504@mozilla.com>
To: Devdatta Akhawe <dev.akhawe@gmail.com>
CC: public-web-security@w3.org
On 2/24/11 6:35 PM, Devdatta Akhawe wrote:
> var foo=function foo(important_variable){. ... all javascript code ... }
> 
> the latter can go in external script, or in the head or wherever. The
> point is that you can then call it from the php script as
> <script>foo('<? echo $value_returned_from_sql; ?>');</script>
> 
> Are you convinced that this might make porting easier (ignoring
> whether it has better security than enabling inline scripts) ?

It'd be equivalent and just as easy (and as prone to XSS) to bury
the important variable in a custom HTML tag and pull the value out
when you need it.

  <mytag id="sql_stuff" value="<PHP-code-here>" />

then later in script (externally loaded, static)

  foo(document.getElementById("sql_stuff").getAttribute("value"))

-Dan Veditz
Received on Friday, 25 February 2011 06:11:45 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Friday, 25 February 2011 06:11:45 GMT