You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
CSP attempts to defend against some kinds of dangling-markup attacks by preventing the execution of scripts that include "" in an attribute name or value. Discarding attributes during parsing makes it possible to trivially work around this defense, as described in https://crbug.com/740615. As dropping repeated attributes is also the root cause of the dangling-markup risk in the first place, it might be reasonable to dig into it a little more deeply to see if something more fundamental can be done.
One idea we (briefly) discussed at TPAC is to prevent nonced script execution for
CSP attempts to defend against some kinds of dangling-markup attacks by preventing the execution of scripts that include "
" in an attribute name or value One idea we (briefly) discussed at TPAC is to prevent nonced script execution for