Re: Whitelisting external resources by hash (was Re: Finalizing the shape of CSP ‘unsafe-dynamic’)

On Wed, Jun 8, 2016 at 1:33 AM, Harssh Mahajan <harssh@gmail.com> wrote:

> CSP requires unsafe-inline for script-src for executing
> onchange='jsfunc();'. jQuery event handlers are an alternative but there
> are some mobile browsers that don't support jQuery event handlers.
>
> "script-src 'self';" - Should this allow calling js functions with
> onchange, onclick, etc?
>

​Please start a separate thread for that topic
​​
, it is unrelated to dynamic script insertion.

But no, whitelisting 'self' should not automatically open up one of the
most common vectors for XSS.
​ ​
It would be nice if we could invent a hash or nonce syntax/mechanism for
these, but we're not going to allow it based only on domain whitelist.

-
​Dan Veditz​

Received on Wednesday, 8 June 2016 19:25:50 UTC