W3C home > Mailing lists > Public > public-webappsec@w3.org > October 2014

Re: Allow dynamically inserted <script>-Tags from trustworthy Scripts

From: Florian Weber <fweber@rebrush.de>
Date: Tue, 14 Oct 2014 14:18:06 +0200
Message-ID: <CABHFno1TCmBvnNu=0H4Wbkb1656EFyeqD+sBU6F7n6GRdnu=7A@mail.gmail.com>
To: public-webappsec@w3.org
Thanks for your reply

We are already using nonce for the inital tracking call. The big Problem is
that all the Tracking scripts are completely 3rd Party. We have no
influence on all the inserted scripts.
And I think it would be quite a long way to convince all the
Tracking-Suppliers to use CSP. (Most of them are are still using
synchronous Javascript includes.... these people are not Webdevelopers in
first place)

So this will not really help in these cases.

Greeting
Florian

2014-10-14 12:55 GMT+02:00 Mike West <mkwst@google.com>:

> Nonces should serve this use-case (and they're shipping now in Firefox and
> Chrome); if you transfer the nonce to the trusted script (either via GET
> parameters, or by simply embedding it on the page in a place the script can
> read) then it can inject its own scripts using that token.
>
> For example, given `script-src 'nonce-12345'`, the following could be
> effective:
>
> <!-- In index.html -->
> <script nonce="12345" src="trusted.js"></script>
>
> // In trusted.js
> var nonce = document.querySelector('script').getAttribute('nonce');
> document.write('<script nonce="' + nonce + '"
> src="whatever.js"></script>');
>
> Does that answer your question?
>
> -mike
>
> --
> Mike West <mkwst@google.com>
> Google+: https://mkw.st/+, Twitter: @mikewest, Cell: +49 162 10 255 91
>
> Google Germany GmbH, Dienerstrasse 12, 80331 München, Germany
> Registergericht und -nummer: Hamburg, HRB 86891
> Sitz der Gesellschaft: Hamburg
> Geschäftsführer: Graham Law, Christine Elizabeth Flores
> (Sorry; I'm legally required to add this exciting detail to emails. Bleh.)
>
> On Thu, Oct 9, 2014 at 3:33 PM, Florian Weber <fweber@rebrush.de> wrote:
>
>> Hi,
>>
>>
>> > Brad Hill commented: " Should dynamic creation of script elements that
>> > match the hash, e.g. with document.write(), be allowed or is the policy
>> > only evaluated on the first pass of the input stream preprocessor and new
>> > inline script nodes prohibited thereafter? " Proposal: prohibit dynamic
>> > addition of inline script blocks. Can anyone think of a reason that it
>> > would be problematic to prohibit dynamic addition of inline script blocks?
>>
>>
>> One Problem of disallowing dynamically injected <script> Tags is the
>> usage of Tracking and/or Advertising Scripts.
>>
>>
>> If you use a Tag-Management System you would have something like this:
>>
>> Host requests a script with lots of Parameters.
>>
>> Depending on these Parameters the TMS will generate a Javascript that
>> includes lots of document.write statements.
>>
>> Some of these document.writes are inline <script>-Tags.
>>
>>
>>
>> These will not get executed because they are not trustworthy.
>>
>>
>>
>> This could be a big problem for a lot of Sites to adapt CSP properly.
>> (without 'unsafe-inline')
>> Greeting
>> Florian
>>
>> --
>> Google Plus <https://plus.google.com/103885057599472805071/posts>,Twitter
>> <http://@fwebdev>
>>
>>
>


-- 
Über mich bei Google Plus
<https://plus.google.com/103885057599472805071/posts>,Twitter
<http://@fwebdev>, XING <https://www.xing.com/profile/Florian_Weber7>
Received on Tuesday, 14 October 2014 12:20:03 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 14:54:07 UTC