CSP: setAttribute allows eval from string from gaz Heyes on 2011-06-16 (public-web-security@w3.org from June 2011)

From: gaz Heyes <gazheyes@gmail.com>
Date: Thu, 16 Jun 2011 12:02:04 +0100
To: public-web-security@w3.org
Message-ID: <BANLkTim8SFPFUD0LufQTBnsLoMz6jp+fsw@mail.gmail.com>

Hey all

CSP needs to account for event handlers when used with setAttribute as it
allows strings to be eval'd

<?php
session_start();
header("X-Content-Security-Policy: allow 'self'; options inline-script");
?>
<script>
window.onload=function() {
    document.links[0].setAttribute('onclick','alert(1)');
}
</script>

<a href="#">test</a>

Cheers

Gareth

Received on Thursday, 16 June 2011 11:02:31 UTC