script-tag with html template-content


I'm reading the CSP specification and trying to figure out if the CSP
disallows all content inside script-tags, regardless of type, or if it
only disallows content inside script-tags that the browser will
execute directly (e.g. javascript).

Some template engines (e.g. jQuery Template) put html markup inside
script-tags since the markup should not be included in the DOM
directly. Will this practice be stopped or reported as a CSP violation
when browsers implement the CSP specification?


// test.html
<!DOCTYPE html>
  <script type="text/javascript" src="test.js"/>
<body onload="onload">
<script id="testTemplate" type="text/some-template-lang">

<div id="foo"/>


// test.js
var onload = function() {
  document.getElementById('foo').innerHTML =

Is the example above OK? I've tried it in recent versions of Chrome
and Firefox and it works, but I don't know how well they implement the
specification and if they will stop the above code once they've
implemented the CSP specification fully.


Received on Monday, 10 September 2012 15:13:59 UTC