I'm reading Chrome extension document "Content Security Policy (CSP)". It says:
Inline JavaScript, as well as dangerous string-to-JavaScript methods like eval, will not be executed. This restriction bans both inline blocks and inline event handlers (e.g.
<button onclick="...">)....
There is no mechanism for relaxing the restriction against executing inline JavaScript. In particular, setting a script policy that includes unsafe-inline will have no effect. This is intentional.
Why are inline <script> blocks unsafe? Can anyone explain it? It will be better if you can give examples.
Thank you.
I'm reading Chrome extension document "Content Security Policy (CSP)". It says:
Inline JavaScript, as well as dangerous string-to-JavaScript methods like eval, will not be executed. This restriction bans both inline blocks and inline event handlers (e.g.
<button onclick="...">)....
There is no mechanism for relaxing the restriction against executing inline JavaScript. In particular, setting a script policy that includes unsafe-inline will have no effect. This is intentional.
Why are inline <script> blocks unsafe? Can anyone explain it? It will be better if you can give examples.
Thank you.
Share Improve this question asked Aug 11, 2012 at 16:02 weilouweilou 4,62811 gold badges45 silver badges56 bronze badges1 Answer
Reset to default 8As the page says:
The first restriction wipes out a huge class of cross-site scripting attacks by making it impossible for you to accidentally execute script provided by a malicious third-party.
Basically any script you load needs to be in a separate file accessible locally to the extension. This prevents you from loading 3rd party scripts that get injected into your page or including them like:
<script src="http://ajax.googleapis./ajax/libs/jquery/1.7.1/jquery.min.js"></script>
An example of this is if you have a form a user can fill out. The user can enter a script tag with some JS in it. Let's say it's like a discussion forum. I go in and make a topic but it has some hidden JS in it. Let's also assume you don't clean that out before posting it. Now my post has JS that will execute every time somebody views it. This prevents that script from being executed.