W3C home > Mailing lists > Public > public-webappsec@w3.org > April 2013

CSP and innerHTML

From: Ian Melven <imelven@mozilla.com>
Date: Tue, 30 Apr 2013 11:07:47 -0700 (PDT)
To: WebAppSec WG <public-webappsec@w3.org>
Message-ID: <1800556854.13646432.1367345267290.JavaMail.root@mozilla.com>

Hi,

recently Jonas Sicking raised the idea of having a CSP directive that would block usage of innerHTML

the primary motivation for doing this seems to be additional defence in depth on top of CSP already
restricting script and style injections

i'm curious what others think of this idea and looking for feedback :)

thanks,
ian
Received on Tuesday, 30 April 2013 18:08:14 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 14:54:01 UTC