CSP : inline functions ? from Devdatta Akhawe on 2011-02-24 (public-web-security@w3.org from February 2011)

From: Devdatta Akhawe <dev.akhawe@gmail.com>
Date: Wed, 23 Feb 2011 19:52:17 -0800
To: public-web-security@w3.org
Message-ID: <AANLkTi=OAkXGg+4g8=iqFzVAYrsp98mE+jET8pzk-mUv@mail.gmail.com>

Hi

CSP currently blocks all inline scripts and we have seen a lot of
discussion about it.

Have we considered only allowing inline functions calls as a option --
a middle ground between inline-scripts being enabled and disabled. I.E

<script> function(arg1,arg2,arg3) </script>

will be allowed inline, no other inline script execution will be
allowed. You still won't be able to do <script> .. javascript ...
</script>.

The CSP spec at Mozilla
(https://wiki.mozilla.org/Security/CSP/Specification) already makes a
distinction between arbitrary code being eval'ed and function calls.
For example, setTimeout is allowed with function names as arguments
but not with strings. It seems this is similar.

I feel like this simple change will make retrofitting legacy
applications with CSP much easier.

My apologies if this has already been proposed. It would be great if
someone can point me to the discussion.

cheers
devdatta

Received on Thursday, 24 February 2011 03:53:09 UTC