===No inline scripts will execute===
<font color="#a00">
* RestrictedUser Agents MUST block:
** The contents of internal <script> nodes
** javascript: URIs, e.g. <a href="javascript:bad_stuff()"> (unless enabled by policy)
</font>
<font color="#060">
* AllowedUser Agents MUST not block:** Script Scripts imported from external files hosted whose sources are allowed by white-listed sources and the protected document's policy AND are served with a Content-Type of <tt>application/javascript</tt> or <tt>application/json</tt>.
</font>
* Justification:
** XSS attacks are possible because the browser has no way to differentiate between content the server intended to send and content injected by an attacker. Content Security Policy forces the separation of code from content and requires authors to be explicit about the code they intend to execute
** Common vectors for injecting script into web pages have been restricted in CSP. With CSP enabled, the bar for a successful XSS attack is raised substantially, requiring an attacker to:
**# inject a <script> tag into the target document
**# point this tag at a script file on a white-listed host
**# control the contents of the white-listed script file
** Note: websites are still able to peform event-handling in the following ways, both of which require being used from within valid white-listed script files:
**# setting the on<event> properties of an element, e.g. element.onclick = myFunc;
**# using addEventListener, e.g. element.addEventListener("click", myFunc, false);
* Sites may opt-out of this restriction by adding the <tt>inline</tt> keyword to the [[Security/CSP/Spec#script-src|script-src]] directive.
* Vulnerability types mitigated:
*# Reflected XSS
*# Stored XSS
*# javascript: link injection
*# HTML attribute injection
'''On Violation:''' User Agents MUST generate and send a violation report will be sent with the <tt>violated-directive</tt> value set to "Base Restriction Violation: no inline scripts will execute."when this base restriction is violated.
===Code will not be created from strings===
