- From: Florian Weber <fweber@rebrush.de>
- Date: Tue, 21 Oct 2014 23:17:14 +0200
- To: Anne van Kesteren <annevk@annevk.nl>, public-webappsec@w3.org
- Message-ID: <CABHFno3RiLD39Pk50HEGj-C7moyuboVW-mh+4GN7OEURC=VVJg@mail.gmail.com>
The Site Owner has the choice to trust the Thirtparty Script by giving it a valid nonce in firstplace. If we trust that Thirdparty they can run any Javascript they want. Why should they not be allowed to insert another script? The other solution is to use unsafe-inline which doesn't make the web much safer. There already was a discussion about this Topic on the List some time ago. There was a kind of 50/50 feeling about preventing or allowing this behavior. http://lists.w3.org/Archives/Public/public-webappsec/2013Feb/0033.html 2014-10-21 13:43 GMT+02:00 Anne van Kesteren <annevk@annevk.nl>: > On Tue, Oct 21, 2014 at 1:14 PM, Florian Weber <fweber@rebrush.de> wrote: > > There are a lot of Tracking and Advertisment Scripts out there and I > think > > it would be a lot easier to adopt CSP (without the use of unsafe-inline) > if > > the behavior would be changed. > > How do you envision changing the behavior while retaining the security? > > > -- > https://annevankesteren.nl/ 2014-10-21 22:54 GMT+02:00 Florian Weber <fweber@rebrush.de>: > The Site Owner has the choice to trust the Thirtparty Script by giving it > a valid nonce in firstplace. > If we trust that Thirdparty they can run any Javascript they want. Why > should they not be allowed to insert another script? > > The other solution is to use unsafe-inline which doesn't make the web much > safer. > > There already was a discussion about this Topic on the List some time ago. > There was a kind of 50/50 feeling about preventing or allowing this > behavior. > > http://lists.w3.org/Archives/Public/public-webappsec/2013Feb/0033.html > > > > 2014-10-21 13:43 GMT+02:00 Anne van Kesteren <annevk@annevk.nl>: > >> On Tue, Oct 21, 2014 at 1:14 PM, Florian Weber <fweber@rebrush.de> wrote: >> > There are a lot of Tracking and Advertisment Scripts out there and I >> think >> > it would be a lot easier to adopt CSP (without the use of >> unsafe-inline) if >> > the behavior would be changed. >> >> How do you envision changing the behavior while retaining the security? >> >> >> -- >> https://annevankesteren.nl/ >> > > > > -- > Über mich bei Google Plus > <https://plus.google.com/103885057599472805071/posts>,Twitter > <http://@fwebdev>, XING <https://www.xing.com/profile/Florian_Weber7> > > -- Über mich bei Google Plus <https://plus.google.com/103885057599472805071/posts>,Twitter <http://@fwebdev>, XING <https://www.xing.com/profile/Florian_Weber7>
Received on Tuesday, 21 October 2014 21:17:41 UTC