W3C home > Mailing lists > Public > public-web-security@w3.org > January 2011

Re: CSP XML Data with tokens

From: Michal Zalewski <lcamtuf@coredump.cx>
Date: Thu, 27 Jan 2011 16:29:38 -0800
Message-ID: <AANLkTi=w+sk2w-P3vZqt-MYS6wvWfqZowzpECZH-O7+3@mail.gmail.com>
To: "sird@rckc.at" <sird@rckc.at>
Cc: Devdatta Akhawe <dev.akhawe@gmail.com>, gaz Heyes <gazheyes@gmail.com>, Brandon Sterne <bsterne@mozilla.com>, public-web-security@w3.org
> Oh btw, you could also.
> <span security="xxxxx">html encoded content</span>
> Or am I missing how this is going to behave being backward compatible?

Well, the question is specifically about untrusted (and possibly
poorly escaped) data being delimited on both ends, so that it is more
difficult to escape - you can't close the block unless you know the
nonce. I don't think this is very likely to happen :-(

/mz
Received on Friday, 28 January 2011 00:30:31 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Friday, 28 January 2011 00:30:31 GMT