- From: Florian Weber <fweber@rebrush.de>
- Date: Thu, 9 Oct 2014 15:33:47 +0200
- To: public-webappsec@w3.org
- Message-ID: <CABHFno0KGe8h2p8tPZgT-Cuw8tO5xYqzY5OLK3LYtATkwvLoqA@mail.gmail.com>
Hi, > Brad Hill commented: " Should dynamic creation of script elements that > match the hash, e.g. with document.write(), be allowed or is the policy > only evaluated on the first pass of the input stream preprocessor and new > inline script nodes prohibited thereafter? " Proposal: prohibit dynamic > addition of inline script blocks. Can anyone think of a reason that it > would be problematic to prohibit dynamic addition of inline script blocks? One Problem of disallowing dynamically injected <script> Tags is the usage of Tracking and/or Advertising Scripts. If you use a Tag-Management System you would have something like this: Host requests a script with lots of Parameters. Depending on these Parameters the TMS will generate a Javascript that includes lots of document.write statements. Some of these document.writes are inline <script>-Tags. These will not get executed because they are not trustworthy. This could be a big problem for a lot of Sites to adapt CSP properly. (without 'unsafe-inline') Greeting Florian -- Google Plus <https://plus.google.com/103885057599472805071/posts>,Twitter <http://@fwebdev>
Received on Thursday, 9 October 2014 16:36:25 UTC