CSP script-src - Allow Js Events from Harssh Mahajan on 2016-06-10 (public-webappsec@w3.org from June 2016)

From: Harssh Mahajan <harssh@gmail.com>
Date: Fri, 10 Jun 2016 20:46:04 +0530
To: WebAppSec WG <public-webappsec@w3.org>
Cc: dveditz@mozilla.com, Harshit Sinha <harshitsinha1102@gmail.com>
Message-ID: <CAJN0qJGqp1eUVC6OBKq7fM0s-6vz+TuejsKyMBxsmejgOoSRbg@mail.gmail.com>

Hi,

The  script-src: 'unsafe-inline' does 2 jobs:
1. Allow execution of inline & on page js.
*2. Allow Js events such as onclick, onchange, etc*

Js Events can not be always binded using js as it doesn't work on some
browsers (on mobile devices).
Allowing only Js events would not open up more vectors for XSS if we
restrict it to calling functions (onclick='jsFunc();') only & not executing
inline js (onclick='prompt(..)').

Maybe we could add new value for script-src:
unsafe-js-event would only allow calling Functions using js events.
unsafe-inline would only allow execution of js code on page.
With domain white-listing, the scope will be limited.

Regards,
Harssh Mahajan

Received on Friday, 10 June 2016 15:16:32 UTC