On Apr 5, 3:25 pm, FunkyRes <funky...@gmail.com> wrote: > On Mar 30, 11:46 am, "bste...@mozilla.com" <bste...@mozilla.com> > wrote: > > Actually, all event-handling HTML attributes will be blocked, as they > > are a common vector for XSS, e.g. <body onload="evil()">. However, > > sites will still be able to do event handling in the following ways: > > but evil() can only exist as a javascript built-in function or as a > function defined in a white-listed source.
First, "evil()" is just a short way of expressing the idea of "malicious JavaScript code". That placeholder doesn't have to represent a single function call. You can replace it with any literal malicious code if that helps your thinking about the model. Also, even if a function is defined in a white-listed file, you still will not be able to call it from within the protected document. The general assumption is that *all* code within the top-level protected document cannot be trusted, because it could have been injected by an attacker. This includes even solitary function calls. CSP's solution is to only trust code inside the white-listed script files. Hope this is helpful. Thanks, Brandon _______________________________________________ dev-security mailing list dev-security@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security