Why is this embedded javascript not blocked by the content security policy?

Question

Why is this embedded javascript not blocked by the content security policy?

I have a page where I set the content security script -src as follows:

script-src 'self' *.uservoice.com *.intuit.com ajax.googleapis.com localhost:*

When I load the page with a hard-coded inline script, I created myself for testing, it blocks, as expected:

An inline script was denied because it violates the following Content Security Policy: "script -src 'self' * .uservoice.com * .intuit.com ajax.googleapis.com localhost: *". Either the unsafe-built-in keyword, a hash ('sha256 -...'), or nonce ('nonce -...') is required to enable inline execution.

However, when I insert a new script tag dynamically, the script is not blocked, for example, it is still running:

 $("body").append("<script>alert('xss');</script>")

I use Chrome as a browser for testing. I was hoping this script would also be blocked, as this would really help prevent xss. Is there something I can change to block this type of script injection?

+8

javascript google-chrome xss content-security-policy

user3152280 Jul 21 '14 at 0:03

source share

1 answer

Sheng · Answer 1 · 2014-08-06T22:34:48+0000

a script added using append or innerHtml will not execute unless you use eval() . Therefore, it does not violate CSP.

Although this may look like cross-site scripting, the result is harmless. HTML5 indicates that a tag inserted through innerHTML should not be executed. one

See script elements inserted using innerHTML are not executed when they are inserted.

Why is this embedded javascript not blocked by the content security policy?

More articles: