On Mon, Aug 18, 2014 at 12:57 AM, Anne van Kesteren <ann...@annevk.nl> wrote:
> On Sun, Aug 17, 2014 at 8:52 PM, John Barton <johnjbar...@google.com> > wrote: > > The argument goes like this: we all want secure Web pages, we can't > secure > > Web pages that allow inline scripts, therefore we have to ban inline > > scripts. > > > > If the argument is wrong, ignore my advice, CSP will die. I personally > > think that would be great. > > It seems you did not read what I wrote. CSP does support inline > scripts these days. > So you are claiming that CSP no longer restricts inline scripts and that the various online docs are incorrect? Or only that the server set the "unsafe-inline" value to opt out of the restriction? Some of the sites that make me think this has not changed: http://www.w3.org/TR/CSP/ In either case, authors should not include 'unsafe-inline' in their CSP policies if they wish to protect themselves against XSS. https://developer.mozilla.org/en-US/docs/Web/Security/CSP/CSP_policy_directives *Note:* Both 'unsafe-inline' and 'unsafe-eval' are unsafe and can open your web site up to cross-site scripting vulnerabilities. http://content-security-policy.com/ jjb
_______________________________________________ es-discuss mailing list es-discuss@mozilla.org https://mail.mozilla.org/listinfo/es-discuss