> What's annoying is that if Tapestry created some HTML5 elements for this
purpose; say <require> and <init>; it would "pass" the CSP even though it
would be exactly as hackable as having the inline script. Meanwhile, if
there's a man in the middle, having an inline script is no different than
having an external script in terms of injecting new client-side executable
content into the page.
Howard, I don't think CSP is trying to prevent a man in the middle attack.
It's trying to stop an XSS hack. Let's consider
alert('hello');
Where 'hello' comes from a request parameter. A hacker could create a dodgy
link on their site and force users to pass a parameter of
hello');doSomethingEvil(); in a similar way to a SQL injection attack.
I'm starting to like your idea of <require> and <init>. Please hear me out
;)
What we want:
Allow require, allow init, allow invocation of functions defined by our app
What we want to prevent:
A hacker injecting and executing arbitrary javascript
If we came up with some custom set of tags, we could restrict what's
allowed:
eg:
<require module="myutils" function="doStuff">{foo:"value1", bar:"value2"}
</require>
<init function="myInitializer">{x:"y"}</init>
I'm not sure that I love it. But it does solve the problem.
