Re: CSP script-src - Allow Js Events from Joel Weinberger on 2016-06-10 (public-webappsec@w3.org from June 2016)

From: Joel Weinberger <jww@chromium.org>
Date: Fri, 10 Jun 2016 16:43:30 +0000
To: Harssh Mahajan <harssh@gmail.com>, WebAppSec WG <public-webappsec@w3.org>
Cc: Harshit Sinha <harshitsinha1102@gmail.com>, dveditz@mozilla.com
Message-ID: <CAHQV2KnTsacQD42KswyHs5cb-BgEm7a+yGXgG-ev-=6YadTouA@mail.gmail.com>

That's a pretty broad exemption since functions cN do arbitrarily complex
and powerful things. You might be interested in CSP3's
unsafe-hashed-attributes, though:
https://w3c.github.io/webappsec-csp/#unsafe-hashed-attributes-usage It
allows whitelisted-by-hash inline event handlers.

On Fri, Jun 10, 2016, 8:18 AM Harssh Mahajan <harssh@gmail.com> wrote:

> Hi,
>
> The  script-src: 'unsafe-inline' does 2 jobs:
> 1. Allow execution of inline & on page js.
> *2. Allow Js events such as onclick, onchange, etc*
>
> Js Events can not be always binded using js as it doesn't work on some
> browsers (on mobile devices).
> Allowing only Js events would not open up more vectors for XSS if we
> restrict it to calling functions (onclick='jsFunc();') only & not
> executing inline js (onclick='prompt(..)').
>
> Maybe we could add new value for script-src:
> unsafe-js-event would only allow calling Functions using js events.
> unsafe-inline would only allow execution of js code on page.
> With domain white-listing, the scope will be limited.
>
> Regards,
> Harssh Mahajan
>

Received on Friday, 10 June 2016 16:44:08 UTC