The script nonce attribute might be closer to what Jeremy is looking for https://dvcs.w3.org/hg/content-security-policy/raw-file/tip/csp-specification.dev.html#script-nonce--experimental
Jeremy:If you are interested in doing this, you should try implementing the script nonce feature, instead of the id attribute you had in mind. Since script-nonce is on the standards track, you are far more likely to get feedback from other Mozilla contributors. The links Ian sent should be a good starting point. --dev On 20 February 2013 09:07, Ian Melven <imel...@mozilla.com> wrote: > > Hi, > > can you clarify what you mean by 'decide manually' ? interactively ? > > have you seen the discussion of the proposed script-hash directive for CSP > 1.1 > on the w3c webappsec list ? > > http://lists.w3.org/Archives/Public/public-webappsec/2013Feb/0052.htmlhas a > proposal > > the basic idea is that since for performance reasons it's difficult for > some sites > to get rid of all inline script, a CSP can explicitly whitelist certain > inline > scripts and allow them to run > > in your example, you could use script-hash to only allow s1 or s2 based on > their hash > > the proposal is still in its early stages at this point. > > cheers, > ian > > > > ----- Original Message ----- > From: "jeremy ralegh" <jeremy.ral...@gmx.ch> > To: dev-security@lists.mozilla.org > Cc: "Boris Zbarsky" <bzbar...@mit.edu>, > mozilla-dev-secur...@lists.mozilla.org > Sent: Wednesday, February 20, 2013 1:09:22 AM > Subject: Re: CSP and inline-scripting > > Thanks for your input. I'll check out your hints. Nonetheless I think that > my question wasn't precise enough. What I'm actually thinking about is the > following. > > Let's assume we have an HTML doc with two inline script areas like > > <script id="s1"> ... </script> > <script id="s2"> ... </script> > > I want to block "s1", but allow "s2" in the same document. As far as I've > understood CSP, it's only possible to block both scripts (by default) or > allow both using unsafe-inline. I'd like to avoid "unsafe-inline" and > "unsafe-eval" as they soften the policy and instead decide manually which > parts to allow and which ones to block. > > Is there any chance to achieve this with CSP as it is (or maybe by adding > some lines of code)? > > Jeremy > > _______________________________________________ > dev-security mailing list > dev-security@lists.mozilla.org > https://lists.mozilla.org/listinfo/dev-security > _______________________________________________ > dev-security mailing list > dev-security@lists.mozilla.org > https://lists.mozilla.org/listinfo/dev-security > _______________________________________________ dev-security mailing list dev-security@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security
