W3C home > Mailing lists > Public > public-webappsec@w3.org > December 2012

Re: Line numbers in Content Security Policy reports

From: Boris Zbarsky <bzbarsky@MIT.EDU>
Date: Tue, 18 Dec 2012 10:48:36 -0800
Message-ID: <50D0BA84.2070305@mit.edu>
To: public-webappsec@w3.org
On 12/18/12 10:08 AM, Mike West wrote:
> When would a line-number not be available?

In general, this is implementation specific.  In Gecko, if you have a 
script that does:

   var div = document.createElement("div");
   div.setAttribute("onclick", "/* some code here */");
   div.textContent = "Click me";
   document.body.appendChild(div);

and then the user clicks the text, the "some code here" will run but not 
have a useful line number associated with it.  We could try to associate 
the line number of the setAttribute call with that script, I suppose, 
but we don't store line numbers with attributes like that at the moment, 
so there would be some memory and performance hit to doing that.

> In theory it should be
> possible to grab a line number from script executing inline on a page,
> or of the call to `eval` that triggered whatever code violated the policy.

There are a lot more ways than that to enter script...

-Boris
Received on Tuesday, 18 December 2012 18:49:07 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Tuesday, 18 December 2012 18:49:07 GMT