Re: CSP : inline functions ?

> Trouble is "important_variable" could be tainted with malicious data and the
> user defined function might use it in some way with a DOM function and if
> your user defined function can't use the DOM or anything then what use is
> the user defined function?

Yes. I am not saying it won't have problems. But with the rest of the
CSP lockdowns (limits on external scripts being sourced, limits on no
arbitrary inline scripts), it might be that the amount of bad things
attacker can do is limited.

For example, even with the full-inline-scripts-totally-off-CSP
switched on, a page could still have broken javascript that is
vulnerable to DOM based XSS -- the hope is that with CSP the amount of
badness that the DOM based XSS could achieve is limited.


Received on Friday, 25 February 2011 06:00:56 UTC