CSP script-src - Allow Js Events


The  script-src: 'unsafe-inline' does 2 jobs:
1. Allow execution of inline & on page js.
*2. Allow Js events such as onclick, onchange, etc*

Js Events can not be always binded using js as it doesn't work on some
browsers (on mobile devices).
Allowing only Js events would not open up more vectors for XSS if we
restrict it to calling functions (onclick='jsFunc();') only & not executing
inline js (onclick='prompt(..)').

Maybe we could add new value for script-src:
unsafe-js-event would only allow calling Functions using js events.
unsafe-inline would only allow execution of js code on page.
With domain white-listing, the scope will be limited.

Harssh Mahajan

Received on Friday, 10 June 2016 15:16:32 UTC