W3C home > Mailing lists > Public > public-webappsec@w3.org > September 2012

script-tag with html template-content

From: Oscar Finnsson <oscar.finnsson@gmail.com>
Date: Mon, 10 Sep 2012 10:45:08 +0200
Message-ID: <CA+UoyB10yTKWmAzJyRK-Ju8+7qwhxyi52XzdBm+3iETF-+XGqw@mail.gmail.com>
To: public-webappsec@w3.org
Hi,

I'm reading the CSP specification and trying to figure out if the CSP
disallows all content inside script-tags, regardless of type, or if it
only disallows content inside script-tags that the browser will
execute directly (e.g. javascript).

Some template engines (e.g. jQuery Template) put html markup inside
script-tags since the markup should not be included in the DOM
directly. Will this practice be stopped or reported as a CSP violation
when browsers implement the CSP specification?

Example:

// test.html
<!DOCTYPE html>
<html>
<head>
  <title>test</title>
  <script type="text/javascript" src="test.js"/>
</head>
<body onload="onload">
<script id="testTemplate" type="text/some-template-lang">
  <div>Test</div>
</script>

<div id="foo"/>

</body>
</html>

// test.js
var onload = function() {
  document.getElementById('foo').innerHTML =
document.getElementById('testTemplate').innerHTML;
};

Is the example above OK? I've tried it in recent versions of Chrome
and Firefox and it works, but I don't know how well they implement the
specification and if they will stop the above code once they've
implemented the CSP specification fully.

Regards,
Oscar
Received on Monday, 10 September 2012 15:13:59 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Monday, 10 September 2012 15:14:00 GMT