The CSP seems like it is going to be really useful. I have been looking into specifying an approach to javascript that is compatible with the CSP but also takes into account other things that people are concerned about when designing web pages as well. One of those things is giving javascript access to a 'data island' in the HTML. Originally I was thinking of a hidden div element with JSON encoded data that javascript could read. Further research revealed some scope for this in HTML5, by means of specifying an in-line script tag with a type of "application/json", see http://dev.w3.org/html5/spec/Overview.html#script.
The CSP specification quite clearly states what a User Agent is supposed to not execute any in-line script. But what exactly should it do with the in-line script content? Should it make it available to the DOM? Should it make it available to the DOM dependent on its type attribute? What does blocking an in-line script tag even mean when the type of the tag isn't something the User Agent would execute anyway? It would be nice to see this called out in the CSP so we don't end up with different User Agents doing different things with in-line script (and other tag) content. Clearly the security implications of what should happen to the contents of script tags also needs to be considered. Dave _______________________________________________ dev-security mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security
