- From: <sird@rckc.at>
- Date: Tue, 15 Feb 2011 20:24:10 -0800
- To: Boris Zbarsky <bzbarsky@mit.edu>
- Cc: gaz Heyes <gazheyes@gmail.com>, public-web-security@w3.org
> What's the point of that? Oh actually the idea is that you only create one iframe and they just modify the innerHTML, so the CSP restrictions do apply. In this case the scripts don't load for other reasons, being.. that they don't have time to execute. I forgot that detail later on.. good for pointing that out ;) > And one more thing. If you just want to have your HTML parsed in a context in which scripts won't execute, you can simply createDocument a document via the DOMImplementation and then set innerHTML in there... because that's an XML parser. doc.childNodes[0].innerHTML="<img src=x onload=alert(1) onerror=alert(1)>" NS_ERROR_DOM_SYNTAX_ERR on line 1: An invalid or illegal string was specified Greetz!!
Received on Wednesday, 16 February 2011 04:25:03 UTC