W3C home > Mailing lists > Public > public-webappsec@w3.org > April 2013

CSP and innerHTML

From: Ian Melven <imelven@mozilla.com>
Date: Tue, 30 Apr 2013 11:07:47 -0700 (PDT)
To: WebAppSec WG <public-webappsec@w3.org>
Message-ID: <1800556854.13646432.1367345267290.JavaMail.root@mozilla.com>


Hi,

recently Jonas Sicking raised the idea of having a CSP directive that would block usage of innerHTML

the primary motivation for doing this seems to be additional defence in depth on top of CSP already
restricting script and style injections

i'm curious what others think of this idea and looking for feedback :)

thanks,
ian

Received on Tuesday, 30 April 2013 18:08:14 UTC

This message: [ Message body ]
Next message: Hill, Brad: "RE: CSP and innerHTML"
Previous message: Devdatta Akhawe: "Re: ACTION-115: Proposal for handling srcdoc"
Next in thread: Hill, Brad: "RE: CSP and innerHTML"
Reply: Hill, Brad: "RE: CSP and innerHTML"

Mail actions: [ respond to this message ] [ mail a new topic ]
Contemporary messages sorted: [ by date ] [ by thread ] [ by subject ] [ by author ]
Help: [ How to use the archives ] [ Search in the archives ]

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 18:54:32 UTC