W3C home > Mailing lists > Public > public-webappsec@w3.org > September 2012

script-tag with html template-content

From: Oscar Finnsson <oscar.finnsson@gmail.com>
Date: Mon, 10 Sep 2012 10:45:08 +0200
Message-ID: <CA+UoyB10yTKWmAzJyRK-Ju8+7qwhxyi52XzdBm+3iETF-+XGqw@mail.gmail.com>
To: public-webappsec@w3.org

I'm reading the CSP specification and trying to figure out if the CSP
disallows all content inside script-tags, regardless of type, or if it
only disallows content inside script-tags that the browser will
execute directly (e.g. javascript).

Some template engines (e.g. jQuery Template) put html markup inside
script-tags since the markup should not be included in the DOM
directly. Will this practice be stopped or reported as a CSP violation
when browsers implement the CSP specification?


// test.html
<!DOCTYPE html>
  <script type="text/javascript" src="test.js"/>
<body onload="onload">
<script id="testTemplate" type="text/some-template-lang">

<div id="foo"/>


// test.js
var onload = function() {
  document.getElementById('foo').innerHTML =

Is the example above OK? I've tried it in recent versions of Chrome
and Firefox and it works, but I don't know how well they implement the
specification and if they will stop the above code once they've
implemented the CSP specification fully.

Received on Monday, 10 September 2012 15:13:59 UTC

This archive was generated by hypermail 2.3.1 : Wednesday, 11 February 2015 13:26:30 UTC