- From: Adam Barth <w3c@adambarth.com>
- Date: Mon, 10 Sep 2012 08:46:47 -0700
- To: Oscar Finnsson <oscar.finnsson@gmail.com>
- Cc: public-webappsec@w3.org
CSP just stops inline <script> tags from executing. If you're placing something in a script tag that you don't expect to execute, CSP won't affect you. Adam On Mon, Sep 10, 2012 at 1:45 AM, Oscar Finnsson <oscar.finnsson@gmail.com> wrote: > Hi, > > I'm reading the CSP specification and trying to figure out if the CSP > disallows all content inside script-tags, regardless of type, or if it > only disallows content inside script-tags that the browser will > execute directly (e.g. javascript). > > Some template engines (e.g. jQuery Template) put html markup inside > script-tags since the markup should not be included in the DOM > directly. Will this practice be stopped or reported as a CSP violation > when browsers implement the CSP specification? > > Example: > > // test.html > <!DOCTYPE html> > <html> > <head> > <title>test</title> > <script type="text/javascript" src="test.js"/> > </head> > <body onload="onload"> > <script id="testTemplate" type="text/some-template-lang"> > <div>Test</div> > </script> > > <div id="foo"/> > > </body> > </html> > > // test.js > var onload = function() { > document.getElementById('foo').innerHTML = > document.getElementById('testTemplate').innerHTML; > }; > > Is the example above OK? I've tried it in recent versions of Chrome > and Firefox and it works, but I don't know how well they implement the > specification and if they will stop the above code once they've > implemented the CSP specification fully. > > Regards, > Oscar > >
Received on Monday, 10 September 2012 15:47:50 UTC