Re: CSP script hashes from Eric Chen on 2013-02-12 (public-webappsec@w3.org from February 2013)

From: Eric Chen <eric.chen@sv.cmu.edu>
Date: Tue, 12 Feb 2013 12:55:37 -0800
To: Nicholas Green <ngreen@twitter.com>
Cc: Bryan McQuade <bmcquade@google.com>, Ian Melven <imelven@mozilla.com>, Jacob Hoffman-Andrews <jsha@twitter.com>, "public-webappsec@w3.org" <public-webappsec@w3.org>, Yoav Weiss <yoav@yoav.ws>
Message-ID: <CAF8haaxqm8dGSH71ytngEutdw75EyRBp0=Gfr9JHKC0+D0d6MQ@mail.gmail.com>

> So I don't see a benefit to allowing dynamically injected <script>
> tags.  Rather than injecting a script tag from JS one could just
> execute JS, so I see nothing problematic about prohibiting dynamic
> addition of inline script blocks.  On the other hand I don't see a
> major risk allowing these scripts to run either, no strong opinion.


I think one of the problems disallowing dynamically injected <script> tags
is trying to address is DOM XSS, where the document.write function call is
trustworthy but the content of document.write is not trustworthy. In this
case, I actually think blocking these inline scripts is much better than
allowing them. If the host page wants to allow these scripts, they can
always modify the CSP policy dynamically to include the hash of the dynamic
content (assuming a <meta>-like element is used for CSP).

-- 
-Eric

Received on Tuesday, 12 February 2013 20:56:06 UTC