- From: Adam Barth <w3c@adambarth.com>
- Date: Thu, 16 Jun 2011 10:52:22 -0700
- To: gaz Heyes <gazheyes@gmail.com>
- Cc: sird@rckc.at, public-web-security@w3.org
On Thu, Jun 16, 2011 at 7:56 AM, gaz Heyes <gazheyes@gmail.com> wrote:
> On 16 June 2011 15:46, Eduardo Vela <sirdarckcat@gmail.com> wrote:
>>
>> Its by design.
>>
>> This also works with inline-scripts enabled:
>>
>> document.write("<script>alert(1)</script>")
>
> That's slightly different though, you're writing HTML but in my previous
> example it's clearly executing a string as JS but I take your point
I'm not sure I follow. You're saying that inline event handlers
should be gated by unsafe-eval instead of unsafe-inline when they're
added via the DOM but the reverse when they're added via the parser?
Adam
Received on Thursday, 16 June 2011 17:53:23 UTC