Re: CSP : inline functions ? from gaz Heyes on 2011-02-25 (public-web-security@w3.org from February 2011)

From: gaz Heyes <gazheyes@gmail.com>
Date: Fri, 25 Feb 2011 02:07:55 +0000
To: Devdatta Akhawe <dev.akhawe@gmail.com>
Cc: public-web-security@w3.org
Message-ID: <AANLkTik494qMfLBA3_210tB-cXLaF+vP2aZEM=fV213i@mail.gmail.com>

On 24 February 2011 03:52, Devdatta Akhawe <dev.akhawe@gmail.com> wrote:

> Have we considered only allowing inline functions calls as a option --
> a middle ground between inline-scripts being enabled and disabled. I.E
>

Inline scripts with object/functions whitelists might be better. By default
innerHTML, document.write, DOM methods etc could be turned off. Then the
policy could allow "alert", "prompt" etc, user definable functions should be
ok too provided that the whitelist is inherited. CSP could even proxy stuff
like document.write/innerHTML to return only safe sanitized output.

Received on Friday, 25 February 2011 02:08:27 UTC