CSP: setAttribute allows eval from string

Hey all

CSP needs to account for event handlers when used with setAttribute as it
allows strings to be eval'd

<?php
session_start();
header("X-Content-Security-Policy: allow 'self'; options inline-script");
?>
<script>
window.onload=function() {
    document.links[0].setAttribute('onclick','alert(1)');
}
</script>

<a href="#">test</a>

Cheers

Gareth

Received on Thursday, 16 June 2011 11:02:31 UTC