> Actually, all event-handling HTML attributes will be blocked, as they
> are a common vector for XSS, e.g. <body onload="evil()">. However,
> sites will still be able to do event handling in the following ways:
> 1) setting the on<event> properties of an element, e.g. foo.onclick =
> myFunc;
> 2) using addEventListener, e.g. foo.addEventListener("click", myFunc,
> false);
>
> Of course, both methods would have to be used from within white-listed
> script files.
Are such script files still exposed across domains, as they used to
be? I'm wondering if it might be difficult to generate those scripts
for a highly dynamic page without leaking sensitive content.
There's also the question if this approach just moves the cross-site
scripting risk to direct injection into Javascript code. The proposal
does not really address this (which is not its fault), but CSP
restrictions might lead developers to rely increasingly on Javascript
code generation to add HTML attributes which are blocked.
_______________________________________________
dev-security mailing list
dev-security@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security
