[webkit-dev] Best way to disable JavaScript

Geoffrey Garen ggaren at apple.com
Sun Mar 17 20:56:50 PDT 2013

> Unfortunately, you can't implement CSP that way.


OK, let's consider this a proposal for how the "disable javascript" setting should behave, and leave CSP out of it.

>   Consider the case of
> two same-origin iframes A and B.  Suppose A has a restrictive CSP
> policy (say that bans everything) and B doesn't.  If B uses the DOM to
> insert a script element into A, then CSP should block that script
> element from executing.  Stripping script tags at parse time won't.

FWIW, I interpreted the phrases "enforcing a directive prevents the protected resource from performing certain actions" and "Enforcing a CSP policy should not interfere with the operation of user-supplied scripts" as indicating that CSP applied to the resource as loaded from its origin only, and not to other scripts operating on the resulting DOM.

What is the CSP-expected behavior if a user-supplied script inserts an attribute event handler, javascript: URL, regular event handler, timer, or <script> element in order to do its work?

I noticed that the CSP specification was still in draft form. Is it too late to modify this constraint? To me, the defense against XSS seems pretty weak if the JavaScript content isn't stripped from the resource.


More information about the webkit-dev mailing list