W3C home > Mailing lists > Public > public-webappsec@w3.org > June 2016

Re: Whitelisting external resources by hash (was Re: Finalizing the shape of CSP ‘unsafe-dynamic’)

From: Daniel Veditz <dveditz@mozilla.com>
Date: Wed, 8 Jun 2016 12:25:21 -0700
Message-ID: <CADYDTCBM1nrXrmffa5=upswHpFNJpDyoN-_ZFmP01+daG5q9+w@mail.gmail.com>
To: Harssh Mahajan <harssh@gmail.com>
Cc: Artur Janc <aaj@google.com>, Brad Hill <hillbrad@gmail.com>, Mike West <mkwst@google.com>, Devdatta Akhawe <dev.akhawe@gmail.com>, WebAppSec WG <public-webappsec@w3.org>, Christoph Kerschbaumer <ckerschbaumer@mozilla.com>, Daniel Bates <dabates@apple.com>, Devdatta Akhawe <dev@dropbox.com>
On Wed, Jun 8, 2016 at 1:33 AM, Harssh Mahajan <harssh@gmail.com> wrote:

> CSP requires unsafe-inline for script-src for executing
> onchange='jsfunc();'. jQuery event handlers are an alternative but there
> are some mobile browsers that don't support jQuery event handlers.
>
> "script-src 'self';" - Should this allow calling js functions with
> onchange, onclick, etc?
>

​Please start a separate thread for that topic
​​
, it is unrelated to dynamic script insertion.

But no, whitelisting 'self' should not automatically open up one of the
most common vectors for XSS.
​ ​
It would be nice if we could invent a hash or nonce syntax/mechanism for
these, but we're not going to allow it based only on domain whitelist.

-
​Dan Veditz​
Received on Wednesday, 8 June 2016 19:25:50 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 14:54:20 UTC