W3C home > Mailing lists > Public > whatwg@whatwg.org > December 2016

Re: [whatwg] window.opener security issues (Was: WhatWG is broken)

From: Michael A. Peters <mpeters@domblogger.net>
Date: Fri, 2 Dec 2016 09:07:54 -0800
To: whatwg@lists.whatwg.org
Message-ID: <353e5109-a7e1-bd69-3447-dcac7701210a@domblogger.net>
On 12/02/2016 08:47 AM, Boris Zbarsky wrote:
> On 12/2/16 11:34 AM, Michael A. Peters wrote:
>> It seems that CSP behavior has radically changed since the last time I
>> looked at it
>
> I can't speak to when you last looked at it, but the current state
> shipping in browsers is, as far as I know, no different from what
> browsers shipped initially for purposes of this discussion.
>
>> At least historically, the on* attributes were not allowed, the style
>> attributes were not allowed, and any script nodes in the body were not
>> allowed.
>
> If you specify script-src and style-src and don't include
> 'unsafe-inline', sure.
>
>> If CSP now allows them by default then I am not very happy about that
>
> CSP allows the things you don't issue directives for.  If you don't
> issue any script-src directives (or default-src directives), then there
> won't be any limitations on scripts.
>
> -Boris

Last time I read the specification, unsafe-inline didn't exist. Last 
time I glanced at the site, unsafe-inline existed but was not supported 
by all browsers and required a declared hash to work.
Received on Friday, 2 December 2016 17:08:28 UTC

This archive was generated by hypermail 2.4.0 : Wednesday, 22 January 2020 17:00:40 UTC