Join GitHub today
GitHub is home to over 28 million developers working together to host and review code, manage projects, and build software together.Sign up
Consider recording the "duplicate-attribute" error state. #3257
CSP attempts to defend against some kinds of dangling-markup attacks by preventing the execution of scripts that include "
One idea we (briefly) discussed at TPAC is to prevent nonced script execution for
added a commit
Nov 27, 2017
Unfortunately this is still a pretty big hole in
Does the above approach detailed by Mike seem reasonable. What are peoples thoughts?
Propagating a "this script is questionable enough that it should not run" bit to the DOM is doable from the parser perspective. Gecko already does this for scripts that were truncated by early EOF.
Let's not overdo it, though. Let's make it just one bit that says the there was at least one duplicate attribute without trying to retain knowledge of which attribute was duplicated and how all the way through the stack. Or even just one bit saying the script isn't eligible to run (in case we want to add other reasons later or combine it right away with the truncation-by-early-EOF case).