Re: Allow dynamically inserted <script>-Tags from trustworthy Scripts

On Tue, Oct 21, 2014 at 11:17 PM, Florian Weber <fweber@rebrush.de> wrote:
> The Site Owner has the choice to trust the Thirtparty Script by giving it a
> valid nonce in firstplace.
> If we trust that Thirdparty they can run any Javascript they want. Why
> should they not be allowed to insert another script?
>
> The other solution is to use unsafe-inline which doesn't make the web much
> safer.
>
> There already was a discussion about this Topic on the List some time ago.
> There was a kind of 50/50 feeling about preventing or allowing this
> behavior.
>
> http://lists.w3.org/Archives/Public/public-webappsec/2013Feb/0033.html

That thread seems to have quite a few misconceptions about the HTML
parser :-( Script execution, including script nesting, is defined in
detail, is normative, and is interoperable across user agents. The
encoding problem also seems somewhat overstated.


-- 
https://annevankesteren.nl/

Received on Wednesday, 22 October 2014 08:38:52 UTC