On Mon, Feb 3, 2014 at 2:23 AM, Frederik Braun <fbraun@mozilla.com> wrote:
> On 31.01.2014 06:43, Hajime Morrita wrote:
> > Generally I prefer master-CSP model than the "own CSP" model due to its
> > simplicity but I agree that unsafe-script kills the conciseness of
> Imports.
> >
> > To make inline scripts work with imports, we might want another CSP
> > directive like "safe-script", which allows parser-made <script> but
> > doesn't allow dynamic ones. There is some room to talk what should be
> > allowed as "safe-script" though. My gut feeling is A) <script>: Allowed,
> > but B) inline event handlers: Not allowed.
>
> What is a "safe" script? What do you mean by parser-made script tags?
> We must be careful not to allow bypassing CSP with a simple XSS.
>
Forget about "safe". I tried to give some name to the notion.
Parser-made script means the <script> tags and its contents that are
written in HTML bytestream, not given by DOM mutation calls from scripts.
As HTML Imports doesn't allow document.write(), it seems safe to assume
that these scripts are statically given by the author, not an attacker.
I agree that we should be careful here though. We need to take care of
innerHTML somehow for example.
> >
> > Does this make sense?
>
>
--
morrita