Re: CSP script hashes from Jacob Hoffman-Andrews on 2013-02-12 (public-webappsec@w3.org from February 2013)

From: Jacob Hoffman-Andrews <jsha@twitter.com>
Date: Tue, 12 Feb 2013 11:10:18 -0800
To: Bryan McQuade <bmcquade@google.com>
Cc: Yoav Weiss <yoav@yoav.ws>, Eric Chen <eric.chen@sv.cmu.edu>, Nicholas Green <ngreen@twitter.com>, "public-webappsec@w3.org" <public-webappsec@w3.org>
Message-ID: <CADzQPXvMxrTUV+CEFsKb=TyUqRnBTa2XvJY-+MqE6RXDJx-+4A@mail.gmail.com>

> I like this but I don't think it plays well with the HTML5 spec. The HTML5
> spec says that upon encountering a (non-async, non-deferred) script, the
> parser itself must block until that script executes. The reason is that the
> script can emit HTML through e.g. document.write and that emitted HTML must
> be processed immediately after the point where the executing script block
> closes. This can change the structure of the document by emitting e.g.
> unbalanced tags. So it's actually not really possible to parse beyond the
> first script block w/o executing it if we're following the HTML5 spec, as I
> understand.
>

This makes sense, thanks for clarifying. I'm on board now with the
hash-per-element approach.

Received on Tuesday, 12 February 2013 19:30:33 UTC