Hi Jeremy, yes, you're right about this (also right that this is a good place to ask questions about CSP in Gecko :) )
take a look at nsIContentSecurityPolicy's allowsInlineScript and allowsEval which are used to check whether inline script or eval() is allowed respectively https://mxr.mozilla.org/mozilla-central/search?string=allowsinlinescript will show you the places this is currently checked in Gecko. thanks, ian ----- Original Message ----- From: "jeremy ralegh" <jeremy.ral...@gmx.ch> To: dev-security@lists.mozilla.org Sent: Tuesday, February 19, 2013 9:19:28 AM Subject: CSP and inline-scripting Hello, I'm not sure, if this is the right place to ask. Please tell, if I should ask in another group. I've started working on a modification of Content Security Policy. I've tried shouldLoad() in nsIContentPolicy to block script elements, that is TYPE_SCRIPT = 2. However, it seems that this method is only able to recognize external scripts loaded via <script src="...">. All inline scripts on a page are ignored. My questions: Am I right about this? If yes, is there any other possibility to catch inline scripts? Thanks for your comments. Jeremy _______________________________________________ dev-security mailing list dev-security@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security _______________________________________________ dev-security mailing list dev-security@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security
