W3C home > Mailing lists > Public > public-webappsec@w3.org > October 2014

Allow dynamically inserted <script>-Tags from trustworthy Scripts

From: Florian Weber <fweber@rebrush.de>
Date: Thu, 9 Oct 2014 15:33:47 +0200
Message-ID: <CABHFno0KGe8h2p8tPZgT-Cuw8tO5xYqzY5OLK3LYtATkwvLoqA@mail.gmail.com>
To: public-webappsec@w3.org

> Brad Hill commented: " Should dynamic creation of script elements that
> match the hash, e.g. with document.write(), be allowed or is the policy
> only evaluated on the first pass of the input stream preprocessor and new
> inline script nodes prohibited thereafter? " Proposal: prohibit dynamic
> addition of inline script blocks. Can anyone think of a reason that it
> would be problematic to prohibit dynamic addition of inline script blocks?

One Problem of disallowing dynamically injected <script> Tags is the usage
of Tracking and/or Advertising Scripts.

If you use a Tag-Management System you would have something like this:

Host requests a script with lots of Parameters.

Depending on these Parameters the TMS will generate a Javascript that
includes lots of document.write statements.

Some of these document.writes are inline <script>-Tags.

These will not get executed because they are not trustworthy.

This could be a big problem for a lot of Sites to adapt CSP properly.
(without 'unsafe-inline')

Google Plus <https://plus.google.com/103885057599472805071/posts>,Twitter
Received on Thursday, 9 October 2014 16:36:25 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 18:54:41 UTC