Example of script-src-attr that is not already handled by script-src-elem



  • What would be an example of a CSP script-src-elem directive allowing a script to be loaded but a script-src-attr directive preventing a function in that script from being executed? If you don't want the js handlers to be executed, why not just prevent the js from being loaded in the first place? I could understand the usefulness of script-src-attr if it operated at the function level, but that is not the case, is it?



  • Content-Security-Policy: script-src-attr 'none'; script-src-elem 'unsafe-inline';
    

    will allow inline scripts like

    <script> alert('I am inline') </script>
    

    but disallow event handlers in tags like onclick="alert('I am onclick')" and javascript-navigation

    <a href="window.open('...')"</code>.</p>
    <p>It's much safer than <code>script-src 'unsafe-inline';</code> because about 90% XSS are based on badly sanitized user input lead to skip event handlers in tags, for example 
    
    

    .</p>
    <p>Otherwise:</p>
    
    

    Content-Security-Policy: script-src-attr 'unsafe-inline'; script-src-elem 'nonce-ebf34fd3';

    
    <p>will disallow inline scripts 
    
    
     without <code>nonce='ebf34fd3'</code> attribute, but will allow inline event handlers and javascript-navigations.</p>
    <p>This is suitable to craft more safe CSP for old sites with a lot of built-in event handlers.</p>
    <p>Please note that as for now <a href="https://csplite.com/csp/test231/" rel="nofollow noreferrer">only Chrome</a> supports <code>script-src-attr</code> / <code>script-src-elem</code> directives. Chromium-based Edge should support these, too.</p>


Suggested Topics

  • 2
  • 2
  • 2
  • 2
  • 2
  • 2
  • 2
  • 2