Re: JavaScript URLs and script-src nit

I think bundling the inline script blocking functionality with the
script-src directive makes a lot of sense. It's confusing to have some
security features that are on by default and others that you have to
turn on manually. The empty policy should have no effect.

On Sat, Feb 19, 2011 at 5:14 AM, Daniel Veditz <> wrote:
> On 2/18/11 9:00 PM, Adam Barth wrote:
>> I'm suggesting that we trigger disabling inline-scripts and JavaScript
>> URLs on the presence of script-src (regardless of the value of the
>> script-src directive) or of another directive (e.g., default-src) that
>> implies script-src.
> And I'm suggesting that inline scripts and javascript: urls are the
> predominant source of XSS and should be banned outright.
> CSP-implementing user agents may provide a way to turn those feature
> back on if they wish. Neither has much to do with the src of a
> script tag.
> -Dan Veditz

Received on Saturday, 19 February 2011 05:21:09 UTC