ggaren at apple.com
Sun Mar 17 20:26:30 PDT 2013
(1) Paste / Drag n Drop / editing: Remove script elements and script attributes from untrusted source markup at parse time.
There are problems with mode (2):
* It subjects users to XSS attacks.
* It's hard to verify.
We have 18 different call sites to canExecuteScripts() in WebKit, not counting the call sites that pertain to plug-ins. Are you confident we've caught all the right places? Do you know if the feature you just added needs to call canExecuteScripts()?
* It's two different ways to do the same thing.
Simplicity is a goal of the WebKit project.
One potential downside to this proposal is that it changes the document's internal structure. Since the changes are not generally observable, since they only take place when we're already making much bigger changes by preventing whole scripts from running, and since we haven't seen any compatibility problems from our paste / drag n drop / editing behavior in this regard, I think this downside is acceptable.
Another potential downside is that CSP errors will be reported at parse time instead of runtime. FWIW, some authors might see this as an upside.
More information about the webkit-dev