W3C home > Mailing lists > Public > public-webappsec@w3.org > April 2013

RE: CSP and innerHTML

From: Hill, Brad <bhill@paypal-inc.com>
Date: Tue, 30 Apr 2013 18:17:15 +0000
To: Ian Melven <imelven@mozilla.com>, WebAppSec WG <public-webappsec@w3.org>
Message-ID: <370C9BEB4DD6154FA963E2F79ADC6F2E27A01AD1@DEN-EXDDA-S12.corp.ebay.com>
I'm interested in an example attack this would stop, which depends uniquely on inner/outerHTML.

The only use I can think of for this off the top of my head is if you're attempting to use a supervisory script to monitor and approve changes to the DOM  - which the implementation details of innerHTML typically do an end-run around.  Otherwise, isn't innerHTML functionally equivalent to other DOM-based APIs?  (and shouldn't the internal implementation be subject to the same CSP constraints already?)

-Brad

> -----Original Message-----
> From: Ian Melven [mailto:imelven@mozilla.com]
> Sent: Tuesday, April 30, 2013 11:08 AM
> To: WebAppSec WG
> Subject: CSP and innerHTML
> 
> 
> Hi,
> 
> recently Jonas Sicking raised the idea of having a CSP directive that would
> block usage of innerHTML
> 
> the primary motivation for doing this seems to be additional defence in
> depth on top of CSP already restricting script and style injections
> 
> i'm curious what others think of this idea and looking for feedback :)
> 
> thanks,
> ian

Received on Tuesday, 30 April 2013 18:17:46 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 14:54:01 UTC