- From: Eduardo' Vela <evn@google.com>
- Date: Sat, 8 Dec 2012 19:57:19 -0600
- To: "public-web-security@w3.org" <public-web-security@w3.org>, Adam Barth <w3c@adambarth.com>
Received on Sunday, 9 December 2012 01:58:07 UTC
Hi! For some pages (think, static content, or heavy JS sites), the only risk of XSS is DOM XSS, and one can't realistically convert all inline scripts to outline for performance reasons. ATM the only way to protect these pages is by creating the CSP header when the document finished loading (after onload or so), however that won't catch the scripts that are created before load time, like <script>xx.innerHTML=xxx</script> I want to propose something, maybe for CSP 1.1, 1.2, 1.x 2.x or whatever, that allows us to disable the behavior that makes innerHTML introduce XSS (and so, make innerHTML safe by default). Of course the same has to be done to insertAdjacentHTML, outerHTML, etc.. but the idea still holds. It's unclear to me how to define an API for this, but here's a stab: * script-src unsafe-static-inline * document.write/innerHTML/etc.. won't execute scripts. In the future one could expand the syntax to only allow "safe" strings or "untainted" strings.. but I don't want to go into details about that. The objective of this thread is to ignite discussion and flaming, I don't realistically expect everyone to agree on something any time soon.
Received on Sunday, 9 December 2012 01:58:07 UTC