- From: Eduardo Vela <sirdarckcat@gmail.com>
- Date: Thu, 16 Jun 2011 09:46:01 -0500
- To: gaz Heyes <gazheyes@gmail.com>
- Cc: public-web-security@w3.org
Received on Thursday, 16 June 2011 14:46:36 UTC
Its by design.
This also works with inline-scripts enabled:
document.write("<script>alert(1)</script>")
On Jun 16, 2011 6:03 AM, "gaz Heyes" <gazheyes@gmail.com> wrote:
> Hey all
>
> CSP needs to account for event handlers when used with setAttribute as it
> allows strings to be eval'd
>
> <?php
> session_start();
> header("X-Content-Security-Policy: allow 'self'; options inline-script");
> ?>
> <script>
> window.onload=function() {
> document.links[0].setAttribute('onclick','alert(1)');
> }
> </script>
>
> <a href="#">test</a>
>
> Cheers
>
> Gareth
Received on Thursday, 16 June 2011 14:46:36 UTC