- From: Carson, Cory <Cory.Carson@boeing.com>
- Date: Tue, 30 Apr 2013 11:30:04 -0700
- To: "Hill, Brad" <bhill@paypal-inc.com>, Ian Melven <imelven@mozilla.com>, WebAppSec WG <public-webappsec@w3.org>
While not strictly existing within a cross-platform specification, Microsoft implemented a similar feature for their browser-based local application runtime: http://msdn.microsoft.com/en-us/library/windows/apps/hh465380.aspx#dynamically_adding_html. Would anyone from Microsoft wish to speak to this feature? In particular, does your experience with your Microsoft-only version suggest that it's a good idea to provide a similar feature for CSP? -----Original Message----- From: Hill, Brad [mailto:bhill@paypal-inc.com] Sent: Tuesday, April 30, 2013 11:17 AM To: Ian Melven; WebAppSec WG Subject: RE: CSP and innerHTML I'm interested in an example attack this would stop, which depends uniquely on inner/outerHTML. The only use I can think of for this off the top of my head is if you're attempting to use a supervisory script to monitor and approve changes to the DOM - which the implementation details of innerHTML typically do an end-run around. Otherwise, isn't innerHTML functionally equivalent to other DOM-based APIs? (and shouldn't the internal implementation be subject to the same CSP constraints already?) -Brad > -----Original Message----- > From: Ian Melven [mailto:imelven@mozilla.com] > Sent: Tuesday, April 30, 2013 11:08 AM > To: WebAppSec WG > Subject: CSP and innerHTML > > > Hi, > > recently Jonas Sicking raised the idea of having a CSP directive that > would block usage of innerHTML > > the primary motivation for doing this seems to be additional defence > in depth on top of CSP already restricting script and style injections > > i'm curious what others think of this idea and looking for feedback :) > > thanks, > ian
Received on Tuesday, 30 April 2013 18:31:32 UTC