W3C home > Mailing lists > Public > public-webappsec@w3.org > February 2013

Re: [webappsec] Handling custom elements in CSP

From: Adam Barth <w3c@adambarth.com>
Date: Sat, 2 Feb 2013 00:51:53 -0800
Message-ID: <CAJE5ia-hxuauCzhWoZjHP2_oXrTEHC=x1xLqm06dSf0+xA4mAg@mail.gmail.com>
To: "Hill, Brad" <bhill@paypal-inc.com>
Cc: "public-webappsec@w3.org" <public-webappsec@w3.org>
On Thu, Jan 31, 2013 at 8:32 PM, Hill, Brad <bhill@paypal-inc.com> wrote:
> I recently noticed the following proposal for custom elements in HTML:
>
> https://www.w3.org/Bugs/Public/show_bug.cgi?id=18669#c48
>
> We should think about how to handle these in CSP.  To my knowledge (please
> correct me) this is the first time there has been a notion of
> extension/inheritance in HTML tags.  This may be the easiest way to deal
> with these elements – policies apply to the described elements and any
> custom elements that descend from them.
>
> For elements that are declared de-novo but have “active” or
> script-equivalent semantics, the case is a little more tricky.
>
> Ideas?

My understanding is that custom elements are just syntactic sugar for
a constellation of normal elements.  One approach is to apply CSP as
usual to the normal elements that the custom element expands into.

Adam
Received on Saturday, 2 February 2013 08:52:52 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Saturday, 2 February 2013 08:52:53 GMT