Hi, The script-src: 'unsafe-inline' does 2 jobs: 1. Allow execution of inline & on page js. *2. Allow Js events such as onclick, onchange, etc* Js Events can not be always binded using js as it doesn't work on some browsers (on mobile devices). Allowing only Js events would not open up more vectors for XSS if we restrict it to calling functions (onclick='jsFunc();') only & not executing inline js (onclick='prompt(..)'). Maybe we could add new value for script-src: unsafe-js-event would only allow calling Functions using js events. unsafe-inline would only allow execution of js code on page. With domain white-listing, the scope will be limited. Regards, Harssh MahajanReceived on Friday, 10 June 2016 15:16:32 UTC
This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 14:54:20 UTC