- From: Adam Barth <w3c@adambarth.com>
- Date: Thu, 16 Jun 2011 14:01:37 -0700
- To: gaz Heyes <gazheyes@gmail.com>
- Cc: Jarred Nicholls <jarred@sencha.com>, sird@rckc.at, public-web-security@w3.org
On Thu, Jun 16, 2011 at 12:34 PM, gaz Heyes <gazheyes@gmail.com> wrote:
> On 16 June 2011 18:55, Jarred Nicholls <jarred@sencha.com> wrote:
>> I'm not following, why would there be a difference in treatment between
>> DOM access and the parser?
>
> Normally string data isn't accepted with an event specified in the DOM. So
> something like:-
> document.getElementById('x').onclick=function(){};
>
> So I thought since CSP disables eval, setTimeout etc setAttribute should be
> included because it converts string data into JavaScript code. For example:-
> document.getElementById('x').setAttribute('onclick','alert(1)');
>
> You obviously all don't agree and that's fine
My sense is that supplying unsafe-inline in your CSP policy basically
means you don't care about XSS, so I'm not that worried about this
vector.
Adam
Received on Thursday, 16 June 2011 21:02:35 UTC