W3C home > Mailing lists > Public > public-webappsec@w3.org > June 2015

Re: Every example fails

From: Andrea Giammarchi <andrea.giammarchi@gmail.com>
Date: Fri, 12 Jun 2015 16:58:16 +0200
Message-ID: <CADA77miczVuHOOE8XQcLxnWhnt4dWVEmSebN1HNmBv+NXPnZ5A@mail.gmail.com>
To: Mike West <mkwst@google.com>
Cc: "public-webappsec@w3.org" <public-webappsec@w3.org>
Thank you. Filed here: https://github.com/w3c/webappsec/issues/400

Actually realized Chromium works fine so I am not sure what's going on.

I have an extra question CSP related though: why wouldn't the following be
a valid CSP?

```html
<!DOCTYPE html>
<html>
  <head>
    <title>onerror</title>
    <meta http-equiv="Content-Security-Policy" content="script-src
'unsafe-inline' 'self' 'sha1-DSau7r3JVE2GzvxPu7E30nPvKvk='
'sha256-2DeTNE/GNcg7ftOXAXqf+5HD2cpXFYUONXVY9ph9Xs4='
'sha1-uMAIKO47OG1AyN7ac4mgegv6QNo='
'sha256-Hwinc9z3otmvBpV3SyX+NjMEoCxaVgNySJHua/tP3qo='">

<script>Image.onerror=function(){if(/\.svg$/.test(this.src))this.src=this.src.slice(0,-3)+'png'}</script>
  </head>
  <body>
    <img src="test.svg" onerror="Image.onerror.call(this)"/>
  </body>
</html>
```

It's actually the easiest way to degrade SVG into PNG for older browsers
(where CSP won't even be supported) without needing to analize each Image
status since it's basically impossible, cross platform speaking, to do a
reliable check after an error has potentially occurred (too many quirks in
the naturalWidth/Height or width/height or complete state).

I think JS inside inline listeners should "just work" as any other inlined
script, or why wouldn't it?

Thanks for examining this case too.

Best Regards

On Fri, Jun 12, 2015 at 4:08 PM, Mike West <mkwst@google.com> wrote:

> That sounds like a problem. :)
>
> What browsers do you see this in? Would you mind filing a bug at
> https://github.com/w3c/webappsec/issues/new?title=CSP: and I'll figure
> out whether the spec's wrong or the browsers are wrong (and then fix the
> spec either way, since browsers are shipping, and it's just a document...
> :) ).
>
> -mike
>
> --
> Mike West <mkwst@google.com>, @mikewest
>
> Google Germany GmbH, Dienerstrasse 12, 80331 München,
> Germany, Registergericht und -nummer: Hamburg, HRB 86891, Sitz der
> Gesellschaft: Hamburg, Geschäftsführer: Graham Law, Christine Elizabeth
> Flores
> (Sorry; I'm legally required to add this exciting detail to emails. Bleh.)
>
> On Wed, Jun 10, 2015 at 11:23 AM, Andrea Giammarchi <
> andrea.giammarchi@gmail.com> wrote:
>
>> This page used to work:
>> http://webreflection.github.io/DOMContentLoaded/example.html
>>
>> now it fails.
>>
>> The example using sha512 in here also fails:
>> http://www.w3.org/TR/CSP/#script-src-hash-usage
>>
>> if you use the sha256 version of the alert it fails too.
>>
>> Have inline behavior changed and the documentation needs some update or
>> it's just my array of browsers that suddenly won't work anymore with CSP
>> scripts?
>>
>> Thank you in advance for any sort of clarification.
>>
>
>
Received on Friday, 12 June 2015 14:58:44 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 14:54:13 UTC