RE: script-tag with html template-content

Actually some of those templating engines will be problematic because
they use eval internally to "compile" the templates to javascript
functions. So you may have to specify 'unsafeEval' as script-src for
them to run. This can be safe as long as you don't use eval and friends
in unsafe way(e.g. directly with user input) elsewhere.


Sent from my c64
From: Adam Barth
Sent: 10.09.2012 17:48
To: Oscar Finnsson
Subject: Re: script-tag with html template-content
CSP just stops inline <script> tags from executing.  If you're placing
something in a script tag that you don't expect to execute, CSP won't
affect you.


On Mon, Sep 10, 2012 at 1:45 AM, Oscar Finnsson
<> wrote:
> Hi,
> I'm reading the CSP specification and trying to figure out if the CSP
> disallows all content inside script-tags, regardless of type, or if it
> only disallows content inside script-tags that the browser will
> execute directly (e.g. javascript).
> Some template engines (e.g. jQuery Template) put html markup inside
> script-tags since the markup should not be included in the DOM
> directly. Will this practice be stopped or reported as a CSP violation
> when browsers implement the CSP specification?
> Example:
> // test.html
> <!DOCTYPE html>
> <html>
> <head>
>   <title>test</title>
>   <script type="text/javascript" src="test.js"/>
> </head>
> <body onload="onload">
> <script id="testTemplate" type="text/some-template-lang">
>   <div>Test</div>
> </script>
> <div id="foo"/>
> </body>
> </html>
> // test.js
> var onload = function() {
>   document.getElementById('foo').innerHTML =
> document.getElementById('testTemplate').innerHTML;
> };
> Is the example above OK? I've tried it in recent versions of Chrome
> and Firefox and it works, but I don't know how well they implement the
> specification and if they will stop the above code once they've
> implemented the CSP specification fully.
> Regards,
> Oscar

Received on Tuesday, 11 September 2012 11:55:37 UTC