Umm... can you elaborate? Is this a custom policy you've added?
And perhaps I'm starting to understand the model here... we are not starting with the assumption of a full script injection, but rather the idea that there are existing libraries we want to trust that use innerHTML but do not do sufficient validation, so the proposal is to treat it sort of like we do eval() - as a source of likely error we can lock down?
-Brad
From: Eduardo' Vela [mailto:evn@google.com]
Sent: Tuesday, April 30, 2013 11:59 AM
To: Carson, Cory
Cc: Hill, Brad; Ian Melven; WebAppSec WG
Subject: Re: CSP and innerHTML
We've been using a CSP policy inserted via a DOM meta tag after load time to prevent XSS via innerHTML. It effectively makes all calls to innerHTML equivalent to toStaticHTML