W3C home > Mailing lists > Public > public-webappsec@w3.org > October 2014

Re: Allow dynamically inserted <script>-Tags from trustworthy Scripts

From: Florian Weber <fweber@rebrush.de>
Date: Tue, 21 Oct 2014 23:17:14 +0200
Message-ID: <CABHFno3RiLD39Pk50HEGj-C7moyuboVW-mh+4GN7OEURC=VVJg@mail.gmail.com>
To: Anne van Kesteren <annevk@annevk.nl>, public-webappsec@w3.org
The Site Owner has the choice to trust the Thirtparty Script by giving it a
valid nonce in firstplace.
If we trust that Thirdparty they can run any Javascript they want. Why
should they not be allowed to insert another script?

The other solution is to use unsafe-inline which doesn't make the web much
safer.

There already was a discussion about this Topic on the List some time ago.
There was a kind of 50/50 feeling about preventing or allowing this
behavior.

http://lists.w3.org/Archives/Public/public-webappsec/2013Feb/0033.html



2014-10-21 13:43 GMT+02:00 Anne van Kesteren <annevk@annevk.nl>:

> On Tue, Oct 21, 2014 at 1:14 PM, Florian Weber <fweber@rebrush.de> wrote:
> > There are a lot of Tracking and Advertisment Scripts out there and I
> think
> > it would be a lot easier to adopt CSP (without the use of unsafe-inline)
> if
> > the behavior would be changed.
>
> How do you envision changing the behavior while retaining the security?
>
>
> --
> https://annevankesteren.nl/


2014-10-21 22:54 GMT+02:00 Florian Weber <fweber@rebrush.de>:

> The Site Owner has the choice to trust the Thirtparty Script by giving it
> a valid nonce in firstplace.
> If we trust that Thirdparty they can run any Javascript they want. Why
> should they not be allowed to insert another script?
>
> The other solution is to use unsafe-inline which doesn't make the web much
> safer.
>
> There already was a discussion about this Topic on the List some time ago.
> There was a kind of 50/50 feeling about preventing or allowing this
> behavior.
>
> http://lists.w3.org/Archives/Public/public-webappsec/2013Feb/0033.html
>
>
>
> 2014-10-21 13:43 GMT+02:00 Anne van Kesteren <annevk@annevk.nl>:
>
>> On Tue, Oct 21, 2014 at 1:14 PM, Florian Weber <fweber@rebrush.de> wrote:
>> > There are a lot of Tracking and Advertisment Scripts out there and I
>> think
>> > it would be a lot easier to adopt CSP (without the use of
>> unsafe-inline) if
>> > the behavior would be changed.
>>
>> How do you envision changing the behavior while retaining the security?
>>
>>
>> --
>> https://annevankesteren.nl/
>>
>
>
>
> --
> Über mich bei Google Plus
> <https://plus.google.com/103885057599472805071/posts>,Twitter
> <http://@fwebdev>, XING <https://www.xing.com/profile/Florian_Weber7>
>
>


-- 
Über mich bei Google Plus
<https://plus.google.com/103885057599472805071/posts>,Twitter
<http://@fwebdev>, XING <https://www.xing.com/profile/Florian_Weber7>
Received on Tuesday, 21 October 2014 21:17:41 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 14:54:07 UTC