W3C home > Mailing lists > Public > public-web-security@w3.org > June 2011

Re: CSP: setAttribute allows eval from string

From: Daniel Veditz <dveditz@mozilla.com>
Date: Fri, 17 Jun 2011 15:39:35 -0700
Message-ID: <4DFBD7A7.3040306@mozilla.com>
To: "sird@rckc.at" <sird@rckc.at>
CC: Adam Barth <w3c@adambarth.com>, gaz Heyes <gazheyes@gmail.com>, Jarred Nicholls <jarred@sencha.com>, public-web-security@w3.org
On 6/16/11 2:04 PM, sird@rckc.at wrote:
> What is the rationale behind having 2 options?
> 
> inline-script and eval-script
> 
> Via inline-script you can simulate an eval-script.
> 
> Via eval-script you can simulate an inline-script.

The primary rationale is strictly pragmatic: eval() is used in
several popular javascript libraries. But there is an important
difference. With inline-script malicious script can be injected. If
inline scripts are blocked (and assuming none of the whitelisted
hosts were hacked) then the script doing the eval is a trusted
script. Of course eval is still dangerous and can be used stupidly,
but it's possible to use eval() safely if you're not eval-ing
unfiltered user-supplied data.

It's risk reduction.

-Dan
Received on Friday, 17 June 2011 22:40:04 UTC

This archive was generated by hypermail 2.3.1 : Tuesday, 6 January 2015 20:26:19 UTC