7

script-src-attr and script-src-elem directives are new additions in CSP3. I am not able to understand how are they different from the script-src directive.

https://w3c.github.io/webappsec-csp/#directive-script-src-elem

This documents the new addition but I am not able to clearly differentiate between the usage, maybe due to hard language.

Nitanshu
  • 173
  • 1
  • 4

1 Answers1

2

Script-src-elem works on script tags:

<script>alert(1)</script>
<script src="/jquery.js">

Script-src-attr works on attributes that contain JavaScript:

<svg onload="alert(1)">

More information can be found in the Intent to Implement and Ship: CSP3: script-src-attr, script-src-elem, style-src-attr, style-src-elem directives

Sjoerd
  • 28,707
  • 12
  • 74
  • 102
  • Will the reports generated by the violation of script-src directive be replaced by script-src-elem then? – Nitanshu Jun 13 '19 at 06:03