> Actually, all event-handling HTML attributes will be blocked, as they > are a common vector for XSS, e.g. <body onload="evil()">. However, > sites will still be able to do event handling in the following ways: > 1) setting the on<event> properties of an element, e.g. foo.onclick = > myFunc; > 2) using addEventListener, e.g. foo.addEventListener("click", myFunc, > false); > > Of course, both methods would have to be used from within white-listed > script files.
Are such script files still exposed across domains, as they used to be? I'm wondering if it might be difficult to generate those scripts for a highly dynamic page without leaking sensitive content. There's also the question if this approach just moves the cross-site scripting risk to direct injection into Javascript code. The proposal does not really address this (which is not its fault), but CSP restrictions might lead developers to rely increasingly on Javascript code generation to add HTML attributes which are blocked. _______________________________________________ dev-security mailing list dev-security@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security