W3C home > Mailing lists > Public > public-web-security@w3.org > February 2011

Re: CSP : inline functions ?

From: Daniel Veditz <dveditz@mozilla.com>
Date: Fri, 25 Feb 2011 16:45:26 -0800
Message-ID: <4D684D26.8090906@mozilla.com>
To: Brandon Sterne <bsterne@mozilla.com>
CC: Lucas Adamski <lucas@mozilla.com>, sird@rckc.at, Devdatta Akhawe <dev.akhawe@gmail.com>, public-web-security@w3.org
On 2/25/11 3:34 PM, Brandon Sterne wrote:
> I believe this pattern violates the HTML 5 standard for the script element:
> http://www.whatwg.org/specs/web-apps/current-work/multipage/scripting-1.html#script

Well, I suppose technically it's a violation, but browsers have to
cope with all kinds of invalid pages out there. Maybe if the spec
said there must be no element content whatsoever browsers could
ignore it, but because "script documentation" is valid that content
actually exists in the DOM. The browser correctly ignores the
element content in terms of executing anything, but the trick would
work.

> On 2/25/11 1:43 PM, Lucas Adamski wrote:
>> Hmm, that's interesting... might this not become a dangerous pattern in itself? 

Sure -- the whole thread is predicated on wanting to splat
user-specific content into the document and then do something with
it in script. No matter where they put it there's a risk of XSS if
the content is not sanitized appropriately for the context.

-Dan Veditz
Received on Saturday, 26 February 2011 00:46:22 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Saturday, 26 February 2011 00:46:25 GMT