Hi Axel. Let's discuss this in the thread you started on the dev-b2g mailing list. Feel free to also join our IRC chat on irc.mozilla.org - channels are #security, #gaia or #b2g. My nickname is "freddyb". Thanks!
Status: UNCONFIRMED → RESOLVED
Last Resolved: 4 years ago
Resolution: --- → WONTFIX
Here's my comments from the thread. I agree that this is WONTFIX. On Nov 13, 2014 6:56 AM, <Axel.Nennker@telekom.de> wrote: > An _unmodified_ index.html is trusted. > Why not allow inline script in this case? > > <script src="definesA.js"/> > <script> > var B = A; > </script> > <script src="usesB.js"/> > <script> > var c = 2; > </script> > <script src="usesc.js"/> You are completely right that this would be safe. There are two reasons that we don't allow it. First of all we currently can't tell for certain that an inline <script> comes directly from the zip package. For example document.write is designed such that the written string is inserted directly into the stream of data that we read from disk. So we would have start tagging parts of that stream with"read from disk" vs "generated from document.write". And be certain that we get that 100% accurate since otherwise we have an XSS vector on our hands. We would also need to ensurew that The second reason is that the current implementation leverage existing CSP web standards. This means that we can reuse the existing well tested and well maintained CSP implementation that Gecko already has. It also means that we have a well documented solution since CSP has both a formal spec and well written documentation. And it makes it easier for people to borrow code between packaged apps and other contexts that use CSP. Of course, many of these advantages may not apply to you. I'm sorry about that. But it does apply to many others.
You need to log in before you can comment on or make changes to this bug.