- From: Anne van Kesteren <annevk@annevk.nl>
- Date: Wed, 22 Oct 2014 10:38:25 +0200
- To: Florian Weber <fweber@rebrush.de>
- Cc: WebAppSec WG <public-webappsec@w3.org>
On Tue, Oct 21, 2014 at 11:17 PM, Florian Weber <fweber@rebrush.de> wrote: > The Site Owner has the choice to trust the Thirtparty Script by giving it a > valid nonce in firstplace. > If we trust that Thirdparty they can run any Javascript they want. Why > should they not be allowed to insert another script? > > The other solution is to use unsafe-inline which doesn't make the web much > safer. > > There already was a discussion about this Topic on the List some time ago. > There was a kind of 50/50 feeling about preventing or allowing this > behavior. > > http://lists.w3.org/Archives/Public/public-webappsec/2013Feb/0033.html That thread seems to have quite a few misconceptions about the HTML parser :-( Script execution, including script nesting, is defined in detail, is normative, and is interoperable across user agents. The encoding problem also seems somewhat overstated. -- https://annevankesteren.nl/
Received on Wednesday, 22 October 2014 08:38:52 UTC