W3C home > Mailing lists > Public > public-web-security@w3.org > June 2011

Re: CSP: setAttribute allows eval from string

From: Adam Barth <w3c@adambarth.com>
Date: Thu, 16 Jun 2011 10:52:22 -0700
Message-ID: <BANLkTinuUUNUwtv1OybUPU-G5EOYUfReRw@mail.gmail.com>
To: gaz Heyes <gazheyes@gmail.com>
Cc: sird@rckc.at, public-web-security@w3.org
On Thu, Jun 16, 2011 at 7:56 AM, gaz Heyes <gazheyes@gmail.com> wrote:
> On 16 June 2011 15:46, Eduardo Vela <sirdarckcat@gmail.com> wrote:
>>
>> Its by design.
>>
>> This also works with inline-scripts enabled:
>>
>> document.write("<script>alert(1)</script>")
>
> That's slightly different though, you're writing HTML but in my previous
> example it's clearly executing a string as JS but I take your point

I'm not sure I follow.  You're saying that inline event handlers
should be gated by unsafe-eval instead of unsafe-inline when they're
added via the DOM but the reverse when they're added via the parser?

Adam
Received on Thursday, 16 June 2011 17:53:23 UTC

This archive was generated by hypermail 2.3.1 : Tuesday, 6 January 2015 20:26:19 UTC