W3C home > Mailing lists > Public > public-web-security@w3.org > February 2011

Re: CSP : inline functions ?

From: Lucas Adamski <lucas@mozilla.com>
Date: Fri, 25 Feb 2011 13:43:59 -0800
Cc: Devdatta Akhawe <dev.akhawe@gmail.com>, Daniel Veditz <dveditz@mozilla.com>, public-web-security@w3.org
Message-Id: <7B9771CE-4D68-4818-941C-18F2897B80BE@mozilla.com>
To: sird@rckc.at
Hmm, that's interesting... might this not become a dangerous pattern in itself? 

<script src="somethingscary.js">
{"json":"here"}
</script>

Not a bullet we can dodge entirely obviously but in such security models exposing data-consuming APIs that are overly generic can result in elevation-of-privilege type scenarios (if you think of the external js as having inherently higher privileges - code execution - than the referencing HTML).
  Lucas.

On Feb 25, 2011, at 10:07 AM, sird@rckc.at wrote:

> And if people really want to put stuff inside <scripts> they can do.
> 
> <script src="otherscript.js">
> {"json":"here"}
> </script>
> 
> otherscript.js:
> var scripts = document.getElementsByTagName("script");
> var lastScript = scripts[scripts.length-1];
> var configStr = lastScript.innerText || lastScript.textContent;
> var config = json.parse(configStr);
> 
> Or Firefox can provide this:
> 
> <script for="something">{"json":"here"}</script>
> 
> Which can be accessed later on with:
> window.config.something.json
> 
> Or something like that.. but don't make CSP less-safe please :)
> 
> Greetz
> -- Eduardo
> 
> 
> 
> 
> On Fri, Feb 25, 2011 at 9:56 AM, Devdatta Akhawe <dev.akhawe@gmail.com> wrote:
>>> 
>>>  <mytag id="sql_stuff" value="<PHP-code-here>" />
>>> 
>>> then later in script (externally loaded, static)
>>> 
>>>  foo(document.getElementById("sql_stuff").getAttribute("value"))
>>> 
>> 
>> This is really slow compared to a direct call.
>> 
>> -devdatta
>> 
>> 
>> 
>>> -Dan Veditz
>>> 
>> 
>> 
> 
Received on Friday, 25 February 2011 21:45:07 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Friday, 25 February 2011 21:45:32 GMT