An _unmodified_ index.html is trusted. Why not allow inline script in this case?
<script src="definesA.js"/> <script> var B = A; </script> <script src="usesB.js"/> <script> var c = 2; </script> <script src="usesc.js"/> B2G could treat the above index.html as if it were like this: <script src="definesA.js"/> <script src="snippet1.js"/> <!-- <script>var B = A;</script> --> <script src="usesB.js"/> <script src="snippet2.js"/> <!-- <script> var c = 2; </script> <script src="usesc.js"/> I don't see how harm can be done in this case and think that closing https://bugzilla.mozilla.org/show_bug.cgi?id=1096854 should be reconsidered. -----Original Message----- From: Frederik Braun [mailto:[email protected]] Sent: Wednesday, November 12, 2014 2:59 PM To: Nennker, Axel; [email protected] Subject: Re: [b2g] Allow inline script in priviledged apps for app html > I fail to see the difference between code that is inlined in a html file that > is part of the app and code that is loaded from a js file. > > Would it work if I move all inline script snippets into files? > Instead of "<p><script>alert("XSS");</script></p>" I would write "<p><script > src='alert.js"/></p>" > With alert.js containing "alert('XSS');" > > If this works than how does it improve security? > An attacker can never create a file within your packaged app. But an attacker *may* be able to create a script tag within a vulnerable application by injecting script tags into calls to innerHTML. My feedback with the Cordova people is btw. pending, you can follow the conversation online[1] - It also contains some interesting suggestions on how to automatically externalize all your inline scripts[2]. [0] http://callback.markmail.org/search/?q=#query:%20list%3Aorg.apache.incubator.callback-dev+page:1+mid:xmy6it4tkokcfktc+state:results [1] http://callback.markmail.org/search/?q=#query:%20list%3Aorg.apache.incubator.callback-dev+page:1+mid:xagvpmc2m3nw2m6w+state:results _______________________________________________ dev-b2g mailing list [email protected] https://lists.mozilla.org/listinfo/dev-b2g
