W3C home > Mailing lists > Public > public-webappsec@w3.org > February 2013

[webappsec] Handling custom elements in CSP

From: Hill, Brad <bhill@paypal-inc.com>
Date: Fri, 1 Feb 2013 04:32:49 +0000
To: "public-webappsec@w3.org" <public-webappsec@w3.org>
Message-ID: <370C9BEB4DD6154FA963E2F79ADC6F2E278EB886@DEN-EXDDA-S12.corp.ebay.com>
I recently noticed the following proposal for custom elements in HTML:

https://www.w3.org/Bugs/Public/show_bug.cgi?id=18669#c48

We should think about how to handle these in CSP.  To my knowledge (please correct me) this is the first time there has been a notion of extension/inheritance in HTML tags.  This may be the easiest way to deal with these elements - policies apply to the described elements and any custom elements that descend from them.

For elements that are declared de-novo but have "active" or script-equivalent semantics, the case is a little more tricky.

Ideas?

-Brad Hill
Received on Friday, 1 February 2013 04:33:19 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Friday, 1 February 2013 04:33:19 GMT