W3C home > Mailing lists > Public > public-webappsec@w3.org > February 2013

Re: CSP script hashes

From: Eric Chen <eric.chen@sv.cmu.edu>
Date: Tue, 12 Feb 2013 12:55:37 -0800
Message-ID: <CAF8haaxqm8dGSH71ytngEutdw75EyRBp0=Gfr9JHKC0+D0d6MQ@mail.gmail.com>
To: Nicholas Green <ngreen@twitter.com>
Cc: Bryan McQuade <bmcquade@google.com>, Ian Melven <imelven@mozilla.com>, Jacob Hoffman-Andrews <jsha@twitter.com>, "public-webappsec@w3.org" <public-webappsec@w3.org>, Yoav Weiss <yoav@yoav.ws>
> So I don't see a benefit to allowing dynamically injected <script>
> tags.  Rather than injecting a script tag from JS one could just
> execute JS, so I see nothing problematic about prohibiting dynamic
> addition of inline script blocks.  On the other hand I don't see a
> major risk allowing these scripts to run either, no strong opinion.


I think one of the problems disallowing dynamically injected <script> tags
is trying to address is DOM XSS, where the document.write function call is
trustworthy but the content of document.write is not trustworthy. In this
case, I actually think blocking these inline scripts is much better than
allowing them. If the host page wants to allow these scripts, they can
always modify the CSP policy dynamically to include the hash of the dynamic
content (assuming a <meta>-like element is used for CSP).

-- 
-Eric
Received on Tuesday, 12 February 2013 20:56:06 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Tuesday, 12 February 2013 20:56:07 GMT