Why is inline script prohibited (Content Security Policy)?

Question

Why is inline script prohibited (Content Security Policy)?

I am interested in a quote from the specification: ( https://dvcs.w3.org/hg/content-security-policy/raw-file/tip/csp-specification.dev.html )

To maximize the benefits, authors will need to move all inline script and style off-line, for example, to external scripts, because the user agent cannot determine whether the inline installer inline script was an attacker.

Finding an inline script is a tough task of the time.

My question is from a security point of view. Do you really get any security advantage by extracting all inline-scripts (like JavaScript) to external sources?

thanks

+4

javascript inline content-security-policy

user2239197 Apr 3 '13 at 7:06

source share

1 answer

Mike samuel · Accepted Answer · 2013-04-03T07:09:20+0000

Key part

the user agent cannot determine if the inline script was injected by an attacker.

To provide protection, the CSP must prevent the attacker-controlled substrings from running code. Since the user agent does not know which parts of HTML were indicated by untrusted inputs and which come from a template written by a trusted developer, it must accept the worst - that any attribute or element could be controlled by an attacker.

Do you really get any security advantage by extracting all inline-scripts (like JavaScript) to external sources?

No. Retrieving the scripts you want to run does not provide any security benefits; it just allows you to run the scripts you want when using CSP.

The security advantage is the ability to invoke the HTML browser without unintentionally executing scripts that abuse domain privileges or steal secrets.

Why is inline script prohibited (Content Security Policy)?

More articles: