Re: CSP script hashes

> So I don't see a benefit to allowing dynamically injected <script>
> tags.  Rather than injecting a script tag from JS one could just
> execute JS, so I see nothing problematic about prohibiting dynamic
> addition of inline script blocks.  On the other hand I don't see a
> major risk allowing these scripts to run either, no strong opinion.


I think one of the problems disallowing dynamically injected <script> tags
is trying to address is DOM XSS, where the document.write function call is
trustworthy but the content of document.write is not trustworthy. In this
case, I actually think blocking these inline scripts is much better than
allowing them. If the host page wants to allow these scripts, they can
always modify the CSP policy dynamically to include the hash of the dynamic
content (assuming a <meta>-like element is used for CSP).

-- 
-Eric

Received on Tuesday, 12 February 2013 20:56:06 UTC