- From: Oscar Finnsson <oscar.finnsson@gmail.com>
- Date: Mon, 10 Sep 2012 10:45:08 +0200
- To: public-webappsec@w3.org
Hi, I'm reading the CSP specification and trying to figure out if the CSP disallows all content inside script-tags, regardless of type, or if it only disallows content inside script-tags that the browser will execute directly (e.g. javascript). Some template engines (e.g. jQuery Template) put html markup inside script-tags since the markup should not be included in the DOM directly. Will this practice be stopped or reported as a CSP violation when browsers implement the CSP specification? Example: // test.html <!DOCTYPE html> <html> <head> <title>test</title> <script type="text/javascript" src="test.js"/> </head> <body onload="onload"> <script id="testTemplate" type="text/some-template-lang"> <div>Test</div> </script> <div id="foo"/> </body> </html> // test.js var onload = function() { document.getElementById('foo').innerHTML = document.getElementById('testTemplate').innerHTML; }; Is the example above OK? I've tried it in recent versions of Chrome and Firefox and it works, but I don't know how well they implement the specification and if they will stop the above code once they've implemented the CSP specification fully. Regards, Oscar
Received on Monday, 10 September 2012 15:13:59 UTC