W3C home > Mailing lists > Public > public-webappsec@w3.org > June 2016

CSP script-src - Allow Js Events

From: Harssh Mahajan <harssh@gmail.com>
Date: Fri, 10 Jun 2016 20:46:04 +0530
Message-ID: <CAJN0qJGqp1eUVC6OBKq7fM0s-6vz+TuejsKyMBxsmejgOoSRbg@mail.gmail.com>
To: WebAppSec WG <public-webappsec@w3.org>
Cc: dveditz@mozilla.com, Harshit Sinha <harshitsinha1102@gmail.com>

The  script-src: 'unsafe-inline' does 2 jobs:
1. Allow execution of inline & on page js.
*2. Allow Js events such as onclick, onchange, etc*

Js Events can not be always binded using js as it doesn't work on some
browsers (on mobile devices).
Allowing only Js events would not open up more vectors for XSS if we
restrict it to calling functions (onclick='jsFunc();') only & not executing
inline js (onclick='prompt(..)').

Maybe we could add new value for script-src:
unsafe-js-event would only allow calling Functions using js events.
unsafe-inline would only allow execution of js code on page.
With domain white-listing, the scope will be limited.

Harssh Mahajan
Received on Friday, 10 June 2016 15:16:32 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 18:54:56 UTC