W3C home > Mailing lists > Public > public-webappsec@w3.org > April 2013

Re: CSP and innerHTML

From: Eduardo' Vela <evn@google.com>
Date: Tue, 30 Apr 2013 11:58:36 -0700
Message-ID: <CAFswPa-BktixMjuNU6J35xpXBACOUbX6V49UQ7ZsmfxV0FdSKg@mail.gmail.com>
To: "Carson, Cory" <Cory.Carson@boeing.com>
Cc: "Hill, Brad" <bhill@paypal-inc.com>, Ian Melven <imelven@mozilla.com>, WebAppSec WG <public-webappsec@w3.org>

We've been using a CSP policy inserted via a DOM meta tag after load time
to prevent XSS via innerHTML. It effectively makes all calls to innerHTML
equivalent to toStaticHTML

Received on Tuesday, 30 April 2013 18:59:28 UTC

This message: [ Message body ]
Next message: Hill, Brad: "RE: CSP and innerHTML"
Previous message: Carson, Cory: "RE: CSP and innerHTML"
In reply to: Carson, Cory: "RE: CSP and innerHTML"
Next in thread: Hill, Brad: "RE: CSP and innerHTML"
Reply: Hill, Brad: "RE: CSP and innerHTML"

Mail actions: [ respond to this message ] [ mail a new topic ]
Contemporary messages sorted: [ by date ] [ by thread ] [ by subject ] [ by author ]
Help: [ How to use the archives ] [ Search in the archives ]

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 14:54:01 UTC