W3C home > Mailing lists > Public > public-web-security@w3.org > February 2011

Re: CSP : inline functions ?

From: Brandon Sterne <bsterne@mozilla.com>
Date: Fri, 25 Feb 2011 15:34:08 -0800
Message-ID: <4D683C70.1050404@mozilla.com>
To: Lucas Adamski <lucas@mozilla.com>
CC: sird@rckc.at, Devdatta Akhawe <dev.akhawe@gmail.com>, Daniel Veditz <dveditz@mozilla.com>, public-web-security@w3.org
I believe this pattern violates the HTML 5 standard for the script element:
http://www.whatwg.org/specs/web-apps/current-work/multipage/scripting-1.html#script

> If there is a src attribute, the element must be either empty or contain only script documentation that also matches script content restrictions.

-Brandon


On 2/25/11 1:43 PM, Lucas Adamski wrote:
> Hmm, that's interesting... might this not become a dangerous pattern in itself? 
> 
> <script src="somethingscary.js">
> {"json":"here"}
> </script>
> 
> Not a bullet we can dodge entirely obviously but in such security models exposing data-consuming APIs that are overly generic can result in elevation-of-privilege type scenarios (if you think of the external js as having inherently higher privileges - code execution - than the referencing HTML).
>   Lucas.
> 
> On Feb 25, 2011, at 10:07 AM, sird@rckc.at wrote:
> 
>> And if people really want to put stuff inside <scripts> they can do.
>>
>> <script src="otherscript.js">
>> {"json":"here"}
>> </script>
>>
>> otherscript.js:
>> var scripts = document.getElementsByTagName("script");
>> var lastScript = scripts[scripts.length-1];
>> var configStr = lastScript.innerText || lastScript.textContent;
>> var config = json.parse(configStr);
>>
>> Or Firefox can provide this:
>>
>> <script for="something">{"json":"here"}</script>
>>
>> Which can be accessed later on with:
>> window.config.something.json
>>
>> Or something like that.. but don't make CSP less-safe please :)
>>
>> Greetz
>> -- Eduardo
>>
>>
>>
>>
>> On Fri, Feb 25, 2011 at 9:56 AM, Devdatta Akhawe <dev.akhawe@gmail.com> wrote:
>>>>
>>>>  <mytag id="sql_stuff" value="<PHP-code-here>" />
>>>>
>>>> then later in script (externally loaded, static)
>>>>
>>>>  foo(document.getElementById("sql_stuff").getAttribute("value"))
>>>>
>>>
>>> This is really slow compared to a direct call.
>>>
>>> -devdatta
>>>
>>>
>>>
>>>> -Dan Veditz
>>>>
>>>
>>>
>>
> 
> 
Received on Friday, 25 February 2011 23:35:15 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Friday, 25 February 2011 23:35:19 GMT