W3C home > Mailing lists > Public > public-webappsec@w3.org > February 2013

Re: CSP script hashes

From: Jacob Hoffman-Andrews <jsha@twitter.com>
Date: Tue, 12 Feb 2013 11:10:18 -0800
Message-ID: <CADzQPXvMxrTUV+CEFsKb=TyUqRnBTa2XvJY-+MqE6RXDJx-+4A@mail.gmail.com>
To: Bryan McQuade <bmcquade@google.com>
Cc: Yoav Weiss <yoav@yoav.ws>, Eric Chen <eric.chen@sv.cmu.edu>, Nicholas Green <ngreen@twitter.com>, "public-webappsec@w3.org" <public-webappsec@w3.org>
> I like this but I don't think it plays well with the HTML5 spec. The HTML5
> spec says that upon encountering a (non-async, non-deferred) script, the
> parser itself must block until that script executes. The reason is that the
> script can emit HTML through e.g. document.write and that emitted HTML must
> be processed immediately after the point where the executing script block
> closes. This can change the structure of the document by emitting e.g.
> unbalanced tags. So it's actually not really possible to parse beyond the
> first script block w/o executing it if we're following the HTML5 spec, as I
> understand.

This makes sense, thanks for clarifying. I'm on board now with the
hash-per-element approach.
Received on Tuesday, 12 February 2013 19:30:33 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 18:54:31 UTC