W3C home > Mailing lists > Public > whatwg@whatwg.org > December 2016

Re: [whatwg] window.opener security issues (Was: WhatWG is broken)

From: Boris Zbarsky <bzbarsky@mit.edu>
Date: Fri, 2 Dec 2016 11:47:34 -0500
To: whatwg@lists.whatwg.org
Message-ID: <0baf8c23-d372-095f-56ac-216a5507c969@mit.edu>
On 12/2/16 11:34 AM, Michael A. Peters wrote:
> It seems that CSP behavior has radically changed since the last time I
> looked at it

I can't speak to when you last looked at it, but the current state 
shipping in browsers is, as far as I know, no different from what 
browsers shipped initially for purposes of this discussion.

> At least historically, the on* attributes were not allowed, the style
> attributes were not allowed, and any script nodes in the body were not
> allowed.

If you specify script-src and style-src and don't include 
'unsafe-inline', sure.

> If CSP now allows them by default then I am not very happy about that

CSP allows the things you don't issue directives for.  If you don't 
issue any script-src directives (or default-src directives), then there 
won't be any limitations on scripts.

-Boris
Received on Friday, 2 December 2016 16:48:14 UTC

This archive was generated by hypermail 2.4.0 : Wednesday, 22 January 2020 17:00:40 UTC