W3C home > Mailing lists > Public > public-webappsec@w3.org > October 2014

Re: Allow dynamically inserted <script>-Tags from trustworthy Scripts

From: Anne van Kesteren <annevk@annevk.nl>
Date: Wed, 22 Oct 2014 10:38:25 +0200
Message-ID: <CADnb78hA1LhD1180qw-D1rFOHniJACKYdpwUnAVDTJHkfaC8qg@mail.gmail.com>
To: Florian Weber <fweber@rebrush.de>
Cc: WebAppSec WG <public-webappsec@w3.org>
On Tue, Oct 21, 2014 at 11:17 PM, Florian Weber <fweber@rebrush.de> wrote:
> The Site Owner has the choice to trust the Thirtparty Script by giving it a
> valid nonce in firstplace.
> If we trust that Thirdparty they can run any Javascript they want. Why
> should they not be allowed to insert another script?
>
> The other solution is to use unsafe-inline which doesn't make the web much
> safer.
>
> There already was a discussion about this Topic on the List some time ago.
> There was a kind of 50/50 feeling about preventing or allowing this
> behavior.
>
> http://lists.w3.org/Archives/Public/public-webappsec/2013Feb/0033.html

That thread seems to have quite a few misconceptions about the HTML
parser :-( Script execution, including script nesting, is defined in
detail, is normative, and is interoperable across user agents. The
encoding problem also seems somewhat overstated.


-- 
https://annevankesteren.nl/
Received on Wednesday, 22 October 2014 08:38:52 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 14:54:07 UTC