Re: CSP and contents of script tag from Brandon Sterne on 2011-03-22 (public-web-security@w3.org from March 2011)

From: Brandon Sterne <bsterne@mozilla.com>
Date: Tue, 22 Mar 2011 15:12:15 -0700
To: Dave <dave@samadhicsecurity.com>
CC: mozilla-dev-security@lists.mozilla.org, "public-web-security@w3.org" <public-web-security@w3.org>
Message-ID: <4D891EBF.1090204@mozilla.com>

+CC public-web-security

Hi Dave,

Thanks for the question.  I'm CCing the group that is in the process of
standardizing CSP.

I have two points to make in response:

1. I agree that the behavior for how the resulting script node is
created should be specified.  I personally don't see any "harm" in
allowing the text inside the script node to be created.

2. There are other ways you can provide an "island of data", as you say,
without using the text section of a script element.  Script will always
have access to arbitrary DOM nodes, so JSON-encoded data can be placed
there and parsed with JSON.parse which Browserscope claims is supported
by basically every major browser [1].

Cheers,
Brandon

[1] http://www.browserscope.org/?category=security

On 03/22/2011 05:33 AM, Dave wrote:
> The CSP seems like it is going to be really useful.  I have been
> looking into specifying an approach to javascript that is compatible
> with the CSP but also takes into account other things that people are
> concerned about when designing web pages as well.  One of those things
> is giving javascript access to a 'data island' in the HTML.
> Originally I was thinking of a hidden div element with JSON encoded
> data that javascript could read.  Further research revealed some scope
> for this in HTML5, by means of specifying an in-line script tag with a
> type of "application/json", see http://dev.w3.org/html5/spec/Overview.html#script.
> 
> The CSP specification quite clearly states what a User Agent is
> supposed to not execute any in-line script.  But what exactly should
> it do with the in-line script content?  Should it make it available to
> the DOM?  Should it make it available to the DOM dependent on its type
> attribute?  What does blocking an in-line script tag even mean when
> the type of the tag isn't something the User Agent would execute
> anyway?
> 
> It would be nice to see this called out in the CSP so we don't end up
> with different User Agents doing different things with in-line script
> (and other tag) content.  Clearly the security implications of what
> should happen to the contents of script tags also needs to be
> considered.
> 
> Dave

Received on Tuesday, 22 March 2011 22:10:27 UTC