- From: Adam Barth <w3c@adambarth.com>
- Date: Sat, 2 Feb 2013 00:51:53 -0800
- To: "Hill, Brad" <bhill@paypal-inc.com>
- Cc: "public-webappsec@w3.org" <public-webappsec@w3.org>
On Thu, Jan 31, 2013 at 8:32 PM, Hill, Brad <bhill@paypal-inc.com> wrote: > I recently noticed the following proposal for custom elements in HTML: > > https://www.w3.org/Bugs/Public/show_bug.cgi?id=18669#c48 > > We should think about how to handle these in CSP. To my knowledge (please > correct me) this is the first time there has been a notion of > extension/inheritance in HTML tags. This may be the easiest way to deal > with these elements – policies apply to the described elements and any > custom elements that descend from them. > > For elements that are declared de-novo but have “active” or > script-equivalent semantics, the case is a little more tricky. > > Ideas? My understanding is that custom elements are just syntactic sugar for a constellation of normal elements. One approach is to apply CSP as usual to the normal elements that the custom element expands into. Adam
Received on Saturday, 2 February 2013 08:52:52 UTC