Allow dynamically inserted <script>-Tags from trustworthy Scripts


> Brad Hill commented: " Should dynamic creation of script elements that
> match the hash, e.g. with document.write(), be allowed or is the policy
> only evaluated on the first pass of the input stream preprocessor and new
> inline script nodes prohibited thereafter? " Proposal: prohibit dynamic
> addition of inline script blocks. Can anyone think of a reason that it
> would be problematic to prohibit dynamic addition of inline script blocks?

One Problem of disallowing dynamically injected <script> Tags is the usage
of Tracking and/or Advertising Scripts.

If you use a Tag-Management System you would have something like this:

Host requests a script with lots of Parameters.

Depending on these Parameters the TMS will generate a Javascript that
includes lots of document.write statements.

Some of these document.writes are inline <script>-Tags.

These will not get executed because they are not trustworthy.

This could be a big problem for a lot of Sites to adapt CSP properly.
(without 'unsafe-inline')

Google Plus <>,Twitter

Received on Thursday, 9 October 2014 16:36:25 UTC