On Nov 13, 2014 6:56 AM, <[email protected]> wrote: > > An _unmodified_ index.html is trusted. > Why not allow inline script in this case? > > <script src="definesA.js"/> > <script> > var B = A; > </script> > <script src="usesB.js"/> > <script> > var c = 2; > </script> > <script src="usesc.js"/>
You are completely right that this would be safe. There are two reasons that we don't allow it. First of all we currently can't tell for certain that an inline <script> comes directly from the zip package. For example document.write is designed such that the written string is inserted directly into the stream of data that we read from disk. So we would have start tagging parts of that stream with"read from disk" vs "generated from document.write". And be certain that we get that 100% accurate since otherwise we have an XSS vector on our hands. We would also need to ensurew that The second reason is that the current implementation leverage existing CSP web standards. This means that we can reuse the existing well tested and well maintained CSP implementation that Gecko already has. It also means that we have a well documented solution since CSP has both a formal spec and well written documentation. And it makes it easier for people to borrow code between packaged apps and other contexts that use CSP. Of course, many of these advantages may not apply to you. I'm sorry about that. But it does apply to many others. / Jonas > > B2G could treat the above index.html as if it were like this: > <script src="definesA.js"/> > <script src="snippet1.js"/> <!-- <script>var B = A;</script> --> > <script src="usesB.js"/> > <script src="snippet2.js"/> <!-- <script> var c = 2; > </script> <script src="usesc.js"/> > > I don't see how harm can be done in this case and think that closing > https://bugzilla.mozilla.org/show_bug.cgi?id=1096854 should be reconsidered. > > -----Original Message----- > From: Frederik Braun [mailto:[email protected]] > Sent: Wednesday, November 12, 2014 2:59 PM > To: Nennker, Axel; [email protected] > Subject: Re: [b2g] Allow inline script in priviledged apps for app html > > > I fail to see the difference between code that is inlined in a html file > > that is part of the app and code that is loaded from a js file. > > > > Would it work if I move all inline script snippets into files? > > Instead of "<p><script>alert("XSS");</script></p>" I would write > > "<p><script src='alert.js"/></p>" > > With alert.js containing "alert('XSS');" > > > > If this works than how does it improve security? > > > > An attacker can never create a file within your packaged app. > But an attacker *may* be able to create a script tag within a vulnerable > application by injecting script tags into calls to innerHTML. > > > My feedback with the Cordova people is btw. pending, you can follow the > conversation online[1] - It also contains some interesting suggestions on how > to automatically externalize all your inline scripts[2]. > > > > [0] > http://callback.markmail.org/search/?q=#query:%20list%3Aorg.apache.incubator.callback-dev+page:1+mid:xmy6it4tkokcfktc+state:results > [1] > http://callback.markmail.org/search/?q=#query:%20list%3Aorg.apache.incubator.callback-dev+page:1+mid:xagvpmc2m3nw2m6w+state:results > _______________________________________________ > dev-b2g mailing list > [email protected] > https://lists.mozilla.org/listinfo/dev-b2g _______________________________________________ dev-b2g mailing list [email protected] https://lists.mozilla.org/listinfo/dev-b2g
