W3C home > Mailing lists > Public > public-webappsec@w3.org > April 2015

Re: HTML Imports and CSP

From: Devdatta Akhawe <dev.akhawe@gmail.com>
Date: Fri, 3 Apr 2015 21:23:39 -0700
Message-ID: <CAPfop_1EGiJp3690xQbDQikpmZ8bKgmU8tn_QOywGZLWAz3xgw@mail.gmail.com>
To: Mike West <mkwst@google.com>
Cc: Justin Fagnani <justinfagnani@google.com>, "public-webappsec@w3.org" <public-webappsec@w3.org>
> You're not wrong there; inline event handlers are bad and they should feel
> bad.
>
> That said, is the risk really different in kind from just allowing plain old
> inline script that executes directly? It doesn't seem to be. Allowing one
> without allowing the other seems capricious.

I think Brad put the concern really well, but even for code written by
developers I know---I would rather trust their ability to sanitize a
string inside a JS variable than inside a script tag than "inside JS,
inside an event handler, in response to a DOM event". And I would
trust a review of the former more than a review of the latter.

> What's your ideal solution?

I tend to agree with Crispin on code data separation. Anything that
mixes the two should have the word unsafe in it.

If not that, then just inline scripts will make me less sad. Allowing
inline scripts and event handlers just because the import is allowed
in script-src is definitely something I would strongly oppose.

-Dev
Received on Saturday, 4 April 2015 04:24:28 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 14:54:11 UTC