W3C home > Mailing lists > Public > public-webappsec@w3.org > October 2014

Re: Allow dynamically inserted <script>-Tags from trustworthy Scripts

From: Anne van Kesteren <annevk@annevk.nl>
Date: Wed, 22 Oct 2014 10:38:25 +0200
Message-ID: <CADnb78hA1LhD1180qw-D1rFOHniJACKYdpwUnAVDTJHkfaC8qg@mail.gmail.com>
To: Florian Weber <fweber@rebrush.de>
Cc: WebAppSec WG <public-webappsec@w3.org>
On Tue, Oct 21, 2014 at 11:17 PM, Florian Weber <fweber@rebrush.de> wrote:
> The Site Owner has the choice to trust the Thirtparty Script by giving it a
> valid nonce in firstplace.
> If we trust that Thirdparty they can run any Javascript they want. Why
> should they not be allowed to insert another script?
> The other solution is to use unsafe-inline which doesn't make the web much
> safer.
> There already was a discussion about this Topic on the List some time ago.
> There was a kind of 50/50 feeling about preventing or allowing this
> behavior.
> http://lists.w3.org/Archives/Public/public-webappsec/2013Feb/0033.html

That thread seems to have quite a few misconceptions about the HTML
parser :-( Script execution, including script nesting, is defined in
detail, is normative, and is interoperable across user agents. The
encoding problem also seems somewhat overstated.

Received on Wednesday, 22 October 2014 08:38:52 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 18:54:41 UTC