- From: gaz Heyes <gazheyes@gmail.com>
- Date: Thu, 16 Jun 2011 12:02:04 +0100
- To: public-web-security@w3.org
Received on Thursday, 16 June 2011 11:02:31 UTC
Hey all CSP needs to account for event handlers when used with setAttribute as it allows strings to be eval'd <?php session_start(); header("X-Content-Security-Policy: allow 'self'; options inline-script"); ?> <script> window.onload=function() { document.links[0].setAttribute('onclick','alert(1)'); } </script> <a href="#">test</a> Cheers Gareth
Received on Thursday, 16 June 2011 11:02:31 UTC