[Webkit-unassigned] [Bug 101683] Should CSP check be moved from ScriptController::executeIfJavaScriptURL to ScriptController::canExecuteScripts?
bugzilla-daemon at webkit.org
bugzilla-daemon at webkit.org
Thu Nov 8 18:34:41 PST 2012
https://bugs.webkit.org/show_bug.cgi?id=101683
--- Comment #1 from Adam Barth <abarth at webkit.org> 2012-11-08 18:36:18 PST ---
> Most of these checks are there, so perhaps the CSP one should be there, too?
In CSP, you can have JavaScript URLs turned off but have script (more generally) turned on. CSP treats JavaScript URLs like inline script (e.g., <script>...</script>), the idea being that JavaScript URLs can be injected by attackers (e.g., <a href="$userSuppliedString">...</a>).
The view-source bits do look dodgy though.
--
Configure bugmail: https://bugs.webkit.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
More information about the webkit-unassigned
mailing list