Does anyone knows a nice ressource which explains why inline scripts/styles are a bad idea?

There were some nice stickers on about it, but I believe they didn't had a explanation as well.

Also, are security risks involved, when allowing "data:" links in a Content-Security-Policy Header?

Thanks for liking and sharing the sticker. I find the sticker very nice as well.

However, maybe someone is able to answer the question itself? 🙃

@The_Observer6955 I have no idea whether there is a security issue with it, but my main reason to avoid inline JS and CSS is that you have a harder time finding where you wanted to change something and can't reuse the same code in multiple objects without copy-pasting, like you can with CSS classes where the actual style info is somewhere else, or JS functions

@The_Observer6955 i don't know of any security concern regarding inline styles. there were some ways to put js into css, not sure if that's still a thing.

for me inline styles are mostly a sign that css isn't used efficiently. chances are, you want to potentially reuse that styling and give it a specific meaning.

then there is stuff like Bootstrap, which uses meaningless classes as replacement for inline styles. kinda ruins what css is supposed to do i think..


Thanks for your answers. That are valid reasons as well.

My Use-Case is selfhosting some applications, which I wanted to secure via the CSP header, which can prevent for example XSS attacks through telling the browser that it shouldn't execute inline-scripts. I am currently filling issues for all the applications which use these themself, which prevents me from setting the header. I hoped there would be a website I can link, which explains everything for me. 😃

It is to make it work, but as the name says, it is unsafe and agains what the CSP script-src is there for. without 'unsafe-inline' XSS Attacks can be prevented.

I was just looking for a nice ressource which explains this in a easy way, to hand in to the developers and make them remove the inline scripts and styles.

@The_Observer6955 well… basically just, because the whole CSP is useless, if you allow inline JS.
An attacker can, in case of a #XSS vuln, just inject inline JS and can execute any JS code.

(Maybe the spec elaborates on that.)

Sign in to participate in the conversation

The social network of the future: No ads, no corporate surveillance, ethical design, and decentralization! Own your data with Mastodon!