W3C home > Mailing lists > Public > public-web-security@w3.org > February 2011

Re: CSP : inline functions ?

From: <sird@rckc.at>
Date: Fri, 25 Feb 2011 19:11:53 -0800
Message-ID: <AANLkTikg7trqD7j+QhmzW+_kV2sPBymHi15EKQRvFR2Z@mail.gmail.com>
To: Daniel Veditz <dveditz@mozilla.com>
Cc: Brandon Sterne <bsterne@mozilla.com>, Lucas Adamski <lucas@mozilla.com>, Devdatta Akhawe <dev.akhawe@gmail.com>, public-web-security@w3.org
And.. the advantage of using JSON is that you get serialization.

I mean, you can still get things wrong, but at least it's not as bad
as if we allowed arbitrary code.

Aaaanyways.

-- Eduardo




On Fri, Feb 25, 2011 at 4:45 PM, Daniel Veditz <dveditz@mozilla.com> wrote:
> On 2/25/11 3:34 PM, Brandon Sterne wrote:
>> I believe this pattern violates the HTML 5 standard for the script element:
>> http://www.whatwg.org/specs/web-apps/current-work/multipage/scripting-1.html#script
>
> Well, I suppose technically it's a violation, but browsers have to
> cope with all kinds of invalid pages out there. Maybe if the spec
> said there must be no element content whatsoever browsers could
> ignore it, but because "script documentation" is valid that content
> actually exists in the DOM. The browser correctly ignores the
> element content in terms of executing anything, but the trick would
> work.
>
>> On 2/25/11 1:43 PM, Lucas Adamski wrote:
>>> Hmm, that's interesting... might this not become a dangerous pattern in itself?
>
> Sure -- the whole thread is predicated on wanting to splat
> user-specific content into the document and then do something with
> it in script. No matter where they put it there's a risk of XSS if
> the content is not sanitized appropriately for the context.
>
> -Dan Veditz
>
>
Received on Saturday, 26 February 2011 03:12:46 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Saturday, 26 February 2011 03:12:49 GMT