W3C home > Mailing lists > Public > whatwg@whatwg.org > December 2010

[whatwg] Which mechanisms does HTML5 have in place to combat XSS attacks?

From: Ian Hickson <ian@hixie.ch>
Date: Wed, 8 Dec 2010 01:12:29 +0000 (UTC)
Message-ID: <Pine.LNX.4.64.1012080110470.26618@ps20323.dreamhostps.com>
On Tue, 14 Sep 2010, zhao Matt wrote:
>
> I know Mozilla and Microsoft have provided some ways (respectively, CSP, XSS
> filter) to mitigate or detect XSS attacks.
> so I wonder whether HTML5 will present an approach to fight this attacks?

"XSS" is a pretty broad range of attacks. HTML has a number of features 
designed to prevent XSS attacks, for example the origin security policy, 
the <iframe sandbox> feature, and the text/html-sandboxed MIME type. 
Others have also been proposed, such as a syntax to embed text as base64 
data safely.

HTH. If you have any specific questions please don't hesitate to raise 
them.

-- 
Ian Hickson               U+1047E                )\._.,--....,'``.    fL
http://ln.hixie.ch/       U+263A                /,   _.. \   _\  ;`._ ,.
Things that are impossible just take longer.   `._.-(,_..'--(,_..'`-.;.'
Received on Tuesday, 7 December 2010 17:12:29 UTC

This archive was generated by hypermail 2.3.1 : Monday, 13 April 2015 23:09:02 UTC