javascriptsecurityinline-scripting

Why are inline JS blocks unsafe?


I'm reading Chrome extension document "Content Security Policy (CSP)". It says:

Inline JavaScript, as well as dangerous string-to-JavaScript methods like eval, will not be executed. This restriction bans both inline blocks and inline event handlers (e.g. <button onclick="...">).

...

There is no mechanism for relaxing the restriction against executing inline JavaScript. In particular, setting a script policy that includes unsafe-inline will have no effect. This is intentional.

Why are inline <script> blocks unsafe? Can anyone explain it? It will be better if you can give examples.

Thank you.


Solution

  • As the page says:

    The first restriction wipes out a huge class of cross-site scripting attacks by making it impossible for you to accidentally execute script provided by a malicious third-party.

    Basically any script you load needs to be in a separate file accessible locally to the extension. This prevents you from loading 3rd party scripts that get injected into your page or including them like:

    <script src="http://ajax.googleapis.com/ajax/libs/jquery/1.7.1/jquery.min.js"></script>
    

    An example of this is if you have a form a user can fill out. The user can enter a script tag with some JS in it. Let's say it's like a discussion forum. I go in and make a topic but it has some hidden JS in it. Let's also assume you don't clean that out before posting it. Now my post has JS that will execute every time somebody views it. This prevents that script from being executed.