5

i'am wondering about the quote from the specification: (https://dvcs.w3.org/hg/content-security-policy/raw-file/tip/csp-specification.dev.html)

To reap the greatest benefit, authors will need to move all inline script and style out-of-line, for example into external scripts, because the user agent cannot determine whether an inline script was injected by an attacker.

Sourcing out all inline-script is a time heavy task.

My question is from the security point of view. Do you really get any security benefit by extracting all inline-script (e.g. JavaScript) to external sources?

Thank you

Improve this question
1
  • Just a heads up, CSP 1.1 plans to provide functionality that will allow you to whitelist individual script blocks. (via script-nonce or script-hash). This is still a ways out and removing the inline script is still your most foolproof route. Commented Apr 3, 2013 at 18:54

1 Answer 1

Reset to default
7

The key part is

the user agent cannot determine whether an inline script was injected by an attacker.

To provide protection, CSP has to prevent substrings controlled by an attacker from causing code to run. Since the user agent does not know which parts of the HTML were specified by untrusted inputs, and which come from a template written by a trusted developer, it has to assume the worst -- that any attribute or element could be controlled by an attacker.

Do you really get any security benefit by extracting all inline-script (e.g. JavaScript) to external sources?

No. Extracting the scripts that you want to run does not provide any security benefit, it merely lets you run the scripts that you want while still using CSP.

The security benefit comes from being able to invoke the browser's HTML parser without unintentionally executing scripts that abuse domain privileges or steal secrets.

Improve this answer
Sign up to request clarification or add additional context in comments.

2 Comments

Removing all inline script does guarantee you'll never put dynamic content in a script tag (which usually leads to undesirable behavior). <script>var thing = <%= @thing.to_json %>;</script>. Whether that's a security benefit is pretty controversial :)
@oreoshake, Agree re "removing all inline script" in general but not when used with a content security police where policy.allowsInlineScript is falsey which is what the OP implied.

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.