Hi, can you clarify what you mean by 'decide manually' ? interactively ?
have you seen the discussion of the proposed script-hash directive for CSP 1.1 on the w3c webappsec list ? http://lists.w3.org/Archives/Public/public-webappsec/2013Feb/0052.html has a proposal the basic idea is that since for performance reasons it's difficult for some sites to get rid of all inline script, a CSP can explicitly whitelist certain inline scripts and allow them to run in your example, you could use script-hash to only allow s1 or s2 based on their hash the proposal is still in its early stages at this point. cheers, ian ----- Original Message ----- From: "jeremy ralegh" <[email protected]> To: [email protected] Cc: "Boris Zbarsky" <[email protected]>, [email protected] Sent: Wednesday, February 20, 2013 1:09:22 AM Subject: Re: CSP and inline-scripting Thanks for your input. I'll check out your hints. Nonetheless I think that my question wasn't precise enough. What I'm actually thinking about is the following. Let's assume we have an HTML doc with two inline script areas like <script id="s1"> ... </script> <script id="s2"> ... </script> I want to block "s1", but allow "s2" in the same document. As far as I've understood CSP, it's only possible to block both scripts (by default) or allow both using unsafe-inline. I'd like to avoid "unsafe-inline" and "unsafe-eval" as they soften the policy and instead decide manually which parts to allow and which ones to block. Is there any chance to achieve this with CSP as it is (or maybe by adding some lines of code)? Jeremy _______________________________________________ dev-security mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security _______________________________________________ dev-security mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security
