- From: Kevin Gibbons <kevin@shapesecurity.com>
- Date: Thu, 19 Mar 2020 15:04:35 -0700
- To: public-webappsec@w3.org
- Message-ID: <CAG0BYEqVrftjNJfvMz1JVgdNY6eoJ61Z7KZocdC+-JuwSVQ4VQ@mail.gmail.com>
(I've copied this from the github repository, which appears to be totally
unmaintained. You can read it there with formatting:
https://github.com/w3c/webappsec-csp/issues/426 )
For example, if I have
<script nonce="asdf">
x = document.createElement('script');
x.textContent = 'console.log(0)';
document.head.appendChild(x);
</script>
on a page with a CSP of `script-src 'strict-dynamic' 'nonce-asdf'`, does it
log 0 or not?
As best I can tell, the CSP spec says no. In particular,
- The inserted script lacks a src attribute, so step 15 of HTML's prepare a
script governs, which calls
- Should element’s inline type behavior be blocked by Content Security
Policy? with type "script", which in step 3.1.1 calls
- the inline check for script-src, which in step 4 calls
- Does element match source list for type and source?, which
- fails to permit the script via allowing all inline behavior for type
"script"
- fails to permit the script via a nonce-source expression, because element
does not have a nonce attribute,
- fails to permit the script via a hash-source expression, because there
are none, and therefore
- fails to permit the script at all.
(Does element match source list for type and source? makes no mention of
strict-dynamic except to turn off unsafe-inline.)
But Firefox and Chrome both allow it. (Safari does not support
strict-dynamic at all.)
The section on the usage of strict-dynamic is not helpful; it says that
"Script requests which are triggered by non-"parser-inserted" script
elements are allowed", which implies it only applies to external scripts,
but also says "scripts created at runtime will be allowed to execute",
which implies it would apply to inline ones as well.
Received on Thursday, 19 March 2020 23:16:18 UTC