W3C home > Mailing lists > Public > public-webappsec@w3.org > September 2012

Re: script-tag with html template-content

From: Adam Barth <w3c@adambarth.com>
Date: Mon, 10 Sep 2012 08:46:47 -0700
Message-ID: <CAJE5ia_vLY-veP-N2KgjpPzS=6SoUGE20dFE5XqdyPC3ccWcew@mail.gmail.com>
To: Oscar Finnsson <oscar.finnsson@gmail.com>
Cc: public-webappsec@w3.org
CSP just stops inline <script> tags from executing.  If you're placing
something in a script tag that you don't expect to execute, CSP won't
affect you.

Adam


On Mon, Sep 10, 2012 at 1:45 AM, Oscar Finnsson
<oscar.finnsson@gmail.com> wrote:
> Hi,
>
> I'm reading the CSP specification and trying to figure out if the CSP
> disallows all content inside script-tags, regardless of type, or if it
> only disallows content inside script-tags that the browser will
> execute directly (e.g. javascript).
>
> Some template engines (e.g. jQuery Template) put html markup inside
> script-tags since the markup should not be included in the DOM
> directly. Will this practice be stopped or reported as a CSP violation
> when browsers implement the CSP specification?
>
> Example:
>
> // test.html
> <!DOCTYPE html>
> <html>
> <head>
>   <title>test</title>
>   <script type="text/javascript" src="test.js"/>
> </head>
> <body onload="onload">
> <script id="testTemplate" type="text/some-template-lang">
>   <div>Test</div>
> </script>
>
> <div id="foo"/>
>
> </body>
> </html>
>
> // test.js
> var onload = function() {
>   document.getElementById('foo').innerHTML =
> document.getElementById('testTemplate').innerHTML;
> };
>
> Is the example above OK? I've tried it in recent versions of Chrome
> and Firefox and it works, but I don't know how well they implement the
> specification and if they will stop the above code once they've
> implemented the CSP specification fully.
>
> Regards,
> Oscar
>
>
Received on Monday, 10 September 2012 15:47:50 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Monday, 10 September 2012 15:47:51 GMT