CSP and innerHTML

Hi,

recently Jonas Sicking raised the idea of having a CSP directive that would block usage of innerHTML

the primary motivation for doing this seems to be additional defence in depth on top of CSP already
restricting script and style injections

i'm curious what others think of this idea and looking for feedback :)

thanks,
ian

Received on Tuesday, 30 April 2013 18:08:14 UTC