RE: script-tag with html template-content from Erlend Oftedal on 2012-09-10 (public-webappsec@w3.org from September 2012)

From: Erlend Oftedal <eoftedal@gmail.com>
Date: Mon, 10 Sep 2012 09:30:09 -0700
To: Erlend Oftedal <eoftedal@gmail.com>, Adam Barth <w3c@adambarth.com>, Oscar Finnsson <oscar.finnsson@gmail.com>
Cc: "public-webappsec@w3.org" <public-webappsec@w3.org>
Message-ID: <-3615133109189015438@unknownmsgid>

Or even better, you can solve the problem by precompiling the templates
on the server.

Erlend

From: Erlend Oftedal
Sent: 10.09.2012 18:24
To: Adam Barth; Oscar Finnsson
Cc: public-webappsec@w3.org
Subject: RE: script-tag with html template-content
Actually some of those templating engines will be problematic because
they use eval internally to "compile" the templates to javascript
functions. So you may have to specify 'unsafeEval' as script-src for
them to run. This can be safe as long as you don't use eval and friends
in unsafe way(e.g. directly with user input) elsewhere.

Erlend

Sent from my c64
From: Adam Barth
Sent: 10.09.2012 17:48
To: Oscar Finnsson
Cc: public-webappsec@w3.org
Subject: Re: script-tag with html template-content
CSP just stops inline <script> tags from executing.  If you're placing
something in a script tag that you don't expect to execute, CSP won't
affect you.

Adam

On Mon, Sep 10, 2012 at 1:45 AM, Oscar Finnsson
<oscar.finnsson@gmail.com> wrote:
> Hi,
>
> I'm reading the CSP specification and trying to figure out if the CSP
> disallows all content inside script-tags, regardless of type, or if it
> only disallows content inside script-tags that the browser will
> execute directly (e.g. javascript).
>
> Some template engines (e.g. jQuery Template) put html markup inside
> script-tags since the markup should not be included in the DOM
> directly. Will this practice be stopped or reported as a CSP violation
> when browsers implement the CSP specification?
>
> Example:
>
> // test.html
> <!DOCTYPE html>
> <html>
> <head>
>   <title>test</title>
>   <script type="text/javascript" src="test.js"/>
> </head>
> <body onload="onload">
> <script id="testTemplate" type="text/some-template-lang">
>   <div>Test</div>
> </script>
>
> <div id="foo"/>
>
> </body>
> </html>
>
> // test.js
> var onload = function() {
>   document.getElementById('foo').innerHTML =
> document.getElementById('testTemplate').innerHTML;
> };
>
> Is the example above OK? I've tried it in recent versions of Chrome
> and Firefox and it works, but I don't know how well they implement the
> specification and if they will stop the above code once they've
> implemented the CSP specification fully.
>
> Regards,
> Oscar
>
>

Received on Tuesday, 11 September 2012 11:55:37 UTC