Re: Whitelisting external resources by hash (was Re: Finalizing the shape of CSP ‘unsafe-dynamic’) from Daniel Veditz on 2016-06-08 (public-webappsec@w3.org from June 2016)

From: Daniel Veditz <dveditz@mozilla.com>
Date: Wed, 8 Jun 2016 12:25:21 -0700
To: Harssh Mahajan <harssh@gmail.com>
Cc: Artur Janc <aaj@google.com>, Brad Hill <hillbrad@gmail.com>, Mike West <mkwst@google.com>, Devdatta Akhawe <dev.akhawe@gmail.com>, WebAppSec WG <public-webappsec@w3.org>, Christoph Kerschbaumer <ckerschbaumer@mozilla.com>, Daniel Bates <dabates@apple.com>, Devdatta Akhawe <dev@dropbox.com>
Message-ID: <CADYDTCBM1nrXrmffa5=upswHpFNJpDyoN-_ZFmP01+daG5q9+w@mail.gmail.com>

On Wed, Jun 8, 2016 at 1:33 AM, Harssh Mahajan <harssh@gmail.com> wrote:

> CSP requires unsafe-inline for script-src for executing
> onchange='jsfunc();'. jQuery event handlers are an alternative but there
> are some mobile browsers that don't support jQuery event handlers.
>
> "script-src 'self';" - Should this allow calling js functions with
> onchange, onclick, etc?
>

Please start a separate thread for that topic

, it is unrelated to dynamic script insertion.

But no, whitelisting 'self' should not automatically open up one of the
most common vectors for XSS.

It would be nice if we could invent a hash or nonce syntax/mechanism for
these, but we're not going to allow it based only on domain whitelist.

-
Dan Veditz

Received on Wednesday, 8 June 2016 19:25:50 UTC