About inline scripts
Posted: Tue May 06, 2014 7:36 am
Hi there,
first of all let me say I don't know nothing about javascript, I am just a Firefox user ... with some requirements ... in this case being able to block inline scripts.
I have been googling a bit to realize this is a requirement requested long ago ... and I wasn't able to find a way to get it done ... then I kept googling ... with no luck ... ... ... yes, I didn't surrender and kept googling and reading ... ... ... and finally I think there might be a way to indirectly implement this feature.
Since I am not a programmer, I'd like to expose the how-to so somebody who really knows could discard the idea or accept it.
The general use case would be a user who needs to block inline scripts on several annoying websites ( 'thepiratebay.se' could be one of them ) .
My idea was based on several texts from https://developer.mozilla.org/en-US/doc ... ity_Policy and sibblings. Here some of them relevant :
"A CSP compatible browser will then only execute scripts loaded in source files received from those whitelisted domains, ignoring all other script (including inline scripts and event-handling HTML attributes)."
"A policy needs to include a default-src or script-src directive in order for CSP to restrict inline scripts from running, as well as blocking the use of eval()."
"When either the script-src or the default-src directive is included, inline script and eval() are disabled unless you specify 'unsafe-inline' and 'unsafe-eval', respectively."
"Enabling CSP is as easy as configuring your web server to return the Content-Security-Policy HTTP header."
So the idea would be to someway include "Content-Security-Policy: default-src *" on the HTTP header responses from the annoying websites.
The CSP directive "default-src *" shouldn't block anything , but using CSP should implicitly block inline scripts.
One problem would be how to modify HTTP header responses from the annoying websites, but on an unrelated topic I could read "I briefly considered manipulating a response from Stack Overflow to include the necessary header." from https://palant.de/2014/03/30/enforcing- ... n-websites ... so I assumed that was something that might be achieved.
Now ... it's too late, maybe I read too much and I am probably wrong, but I just needed to make sure.
So ... what do you think ?
Thank you !!!
PS .- "Content-Security-Policy: script-src * 'unsafe-eval'" might be more correct than "Content-Security-Policy: default-src *" ... but that's in case I am not completely wrong which I don't know yet.
first of all let me say I don't know nothing about javascript, I am just a Firefox user ... with some requirements ... in this case being able to block inline scripts.
I have been googling a bit to realize this is a requirement requested long ago ... and I wasn't able to find a way to get it done ... then I kept googling ... with no luck ... ... ... yes, I didn't surrender and kept googling and reading ... ... ... and finally I think there might be a way to indirectly implement this feature.
Since I am not a programmer, I'd like to expose the how-to so somebody who really knows could discard the idea or accept it.
The general use case would be a user who needs to block inline scripts on several annoying websites ( 'thepiratebay.se' could be one of them ) .
My idea was based on several texts from https://developer.mozilla.org/en-US/doc ... ity_Policy and sibblings. Here some of them relevant :
"A CSP compatible browser will then only execute scripts loaded in source files received from those whitelisted domains, ignoring all other script (including inline scripts and event-handling HTML attributes)."
"A policy needs to include a default-src or script-src directive in order for CSP to restrict inline scripts from running, as well as blocking the use of eval()."
"When either the script-src or the default-src directive is included, inline script and eval() are disabled unless you specify 'unsafe-inline' and 'unsafe-eval', respectively."
"Enabling CSP is as easy as configuring your web server to return the Content-Security-Policy HTTP header."
So the idea would be to someway include "Content-Security-Policy: default-src *" on the HTTP header responses from the annoying websites.
The CSP directive "default-src *" shouldn't block anything , but using CSP should implicitly block inline scripts.
One problem would be how to modify HTTP header responses from the annoying websites, but on an unrelated topic I could read "I briefly considered manipulating a response from Stack Overflow to include the necessary header." from https://palant.de/2014/03/30/enforcing- ... n-websites ... so I assumed that was something that might be achieved.
Now ... it's too late, maybe I read too much and I am probably wrong, but I just needed to make sure.
So ... what do you think ?
Thank you !!!
PS .- "Content-Security-Policy: script-src * 'unsafe-eval'" might be more correct than "Content-Security-Policy: default-src *" ... but that's in case I am not completely wrong which I don't know yet.