Re: CSP : inline functions ?

And.. the advantage of using JSON is that you get serialization.

I mean, you can still get things wrong, but at least it's not as bad
as if we allowed arbitrary code.

Aaaanyways.

-- Eduardo




On Fri, Feb 25, 2011 at 4:45 PM, Daniel Veditz <dveditz@mozilla.com> wrote:
> On 2/25/11 3:34 PM, Brandon Sterne wrote:
>> I believe this pattern violates the HTML 5 standard for the script element:
>> http://www.whatwg.org/specs/web-apps/current-work/multipage/scripting-1.html#script
>
> Well, I suppose technically it's a violation, but browsers have to
> cope with all kinds of invalid pages out there. Maybe if the spec
> said there must be no element content whatsoever browsers could
> ignore it, but because "script documentation" is valid that content
> actually exists in the DOM. The browser correctly ignores the
> element content in terms of executing anything, but the trick would
> work.
>
>> On 2/25/11 1:43 PM, Lucas Adamski wrote:
>>> Hmm, that's interesting... might this not become a dangerous pattern in itself?
>
> Sure -- the whole thread is predicated on wanting to splat
> user-specific content into the document and then do something with
> it in script. No matter where they put it there's a risk of XSS if
> the content is not sanitized appropriately for the context.
>
> -Dan Veditz
>
>

Received on Saturday, 26 February 2011 03:12:46 UTC