W3C home > Mailing lists > Public > public-webappsec@w3.org > October 2014

Allow dynamically inserted <script>-Tags from trustworthy Scripts

From: Florian Weber <fweber@rebrush.de>
Date: Thu, 9 Oct 2014 15:33:47 +0200
Message-ID: <CABHFno0KGe8h2p8tPZgT-Cuw8tO5xYqzY5OLK3LYtATkwvLoqA@mail.gmail.com>
To: public-webappsec@w3.org
Hi,


> Brad Hill commented: " Should dynamic creation of script elements that
> match the hash, e.g. with document.write(), be allowed or is the policy
> only evaluated on the first pass of the input stream preprocessor and new
> inline script nodes prohibited thereafter? " Proposal: prohibit dynamic
> addition of inline script blocks. Can anyone think of a reason that it
> would be problematic to prohibit dynamic addition of inline script blocks?


One Problem of disallowing dynamically injected <script> Tags is the usage
of Tracking and/or Advertising Scripts.


If you use a Tag-Management System you would have something like this:

Host requests a script with lots of Parameters.

Depending on these Parameters the TMS will generate a Javascript that
includes lots of document.write statements.

Some of these document.writes are inline <script>-Tags.



These will not get executed because they are not trustworthy.



This could be a big problem for a lot of Sites to adapt CSP properly.
(without 'unsafe-inline')
Greeting
Florian

-- 
Google Plus <https://plus.google.com/103885057599472805071/posts>,Twitter
<http://@fwebdev>
Received on Thursday, 9 October 2014 16:36:25 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 14:54:07 UTC