Re: JavaScript URLs and script-src nit

On 2/18/11 6:09 PM, Adam Barth wrote:
> In the Mozilla CSP spec, the presence of any Content-Security-Policy
> at all triggers blocking of JavaScript URL.

Because it's a form of inline-script, and inline-scripts are blocked
by the mere presence of CSP. Like inline-scripts, however, not
everyone is ready to give them up so we added a hack^H^H^H^Hoverride
that lets people turn them back on. The "script-src" directive isn't
the best place for them because people rarely write "<script
src=javascript:code>". Most often they appear as links, which aren't
otherwise covered by the current CSP proposal.

Maybe that argues that the javascript: override ought to be in the
"options" directive alongside inline-scripts.

 Like inline-scripts we wanted the presence of a CSP to opt-in to a
more rigorous web regime that outlawed such things

> IMHO, the empty CSP policy (e.g., "") shouldn't have any effects.

At what point do you disable inline-scripts then? If inline-scripts
aren't disabled by default there isn't a whole lot of point to CSP
in my opinion.

-Dan Veditz

Received on Saturday, 19 February 2011 04:48:09 UTC