Why is inline script forbidden (Content Security Policy)?

Question

i'am wondering about the quote from the specification: (https://dvcs.w3.org/hg/content-security-policy/raw-file/tip/csp-specification.dev.html)

To reap the greatest benefit, authors will need to move all inline script and style out-of-line, for example into external scripts, because the user agent cannot determine whether an inline script was injected by an attacker.

Sourcing out all inline-script is a time heavy task.

My question is from the security point of view. Do you really get any security benefit by extracting all inline-script (e.g. JavaScript) to external sources?

Thank you

Answer 1

The key part is

the user agent cannot determine whether an inline script was injected by an attacker.

To provide protection, CSP has to prevent substrings controlled by an attacker from causing code to run. Since the user agent does not know which parts of the HTML were specified by untrusted inputs, and which come from a template written by a trusted developer, it has to assume the worst -- that any attribute or element could be controlled by an attacker.

Do you really get any security benefit by extracting all inline-script (e.g. JavaScript) to external sources?

No. Extracting the scripts that you want to run does not provide any security benefit, it merely lets you run the scripts that you want while still using CSP.

The security benefit comes from being able to invoke the browser's HTML parser without unintentionally executing scripts that abuse domain privileges or steal secrets.