i'am wondering about the quote from the specification: (.dev.html)
To reap the greatest benefit, authors will need to move all inline script and style out-of-line, for example into external scripts, because the user agent cannot determine whether an inline script was injected by an attacker.
Sourcing out all inline-script is a time heavy task.
My question is from the security point of view. Do you really get any security benefit by extracting all inline-script (e.g. JavaScript) to external sources?
Thank you
i'am wondering about the quote from the specification: (https://dvcs.w3/hg/content-security-policy/raw-file/tip/csp-specification.dev.html)
To reap the greatest benefit, authors will need to move all inline script and style out-of-line, for example into external scripts, because the user agent cannot determine whether an inline script was injected by an attacker.
Sourcing out all inline-script is a time heavy task.
My question is from the security point of view. Do you really get any security benefit by extracting all inline-script (e.g. JavaScript) to external sources?
Thank you
Share Improve this question edited Apr 27, 2013 at 2:39 blahdiblah 34.1k21 gold badges102 silver badges153 bronze badges asked Apr 3, 2013 at 7:06 user2239197user2239197 531 silver badge4 bronze badges 1- Just a heads up, CSP 1.1 plans to provide functionality that will allow you to whitelist individual script blocks. (via script-nonce or script-hash). This is still a ways out and removing the inline script is still your most foolproof route. – oreoshake Commented Apr 3, 2013 at 18:54
1 Answer
Reset to default 7The key part is
the user agent cannot determine whether an inline script was injected by an attacker.
To provide protection, CSP has to prevent substrings controlled by an attacker from causing code to run. Since the user agent does not know which parts of the HTML were specified by untrusted inputs, and which e from a template written by a trusted developer, it has to assume the worst -- that any attribute or element could be controlled by an attacker.
Do you really get any security benefit by extracting all inline-script (e.g. JavaScript) to external sources?
No. Extracting the scripts that you want to run does not provide any security benefit, it merely lets you run the scripts that you want while still using CSP.
The security benefit es from being able to invoke the browser's HTML parser without unintentionally executing scripts that abuse domain privileges or steal secrets.