- From: Devdatta Akhawe <dev.akhawe@gmail.com>
- Date: Fri, 3 Apr 2015 21:23:39 -0700
- To: Mike West <mkwst@google.com>
- Cc: Justin Fagnani <justinfagnani@google.com>, "public-webappsec@w3.org" <public-webappsec@w3.org>
> You're not wrong there; inline event handlers are bad and they should feel > bad. > > That said, is the risk really different in kind from just allowing plain old > inline script that executes directly? It doesn't seem to be. Allowing one > without allowing the other seems capricious. I think Brad put the concern really well, but even for code written by developers I know---I would rather trust their ability to sanitize a string inside a JS variable than inside a script tag than "inside JS, inside an event handler, in response to a DOM event". And I would trust a review of the former more than a review of the latter. > What's your ideal solution? I tend to agree with Crispin on code data separation. Anything that mixes the two should have the word unsafe in it. If not that, then just inline scripts will make me less sad. Allowing inline scripts and event handlers just because the import is allowed in script-src is definitely something I would strongly oppose. -Dev
Received on Saturday, 4 April 2015 04:24:28 UTC