RE: CSP and innerHTML from Hill, Brad on 2013-04-30 (public-webappsec@w3.org from April 2013)

From: Hill, Brad <bhill@paypal-inc.com>
Date: Tue, 30 Apr 2013 19:04:24 +0000
To: Eduardo' Vela <evn@google.com>, "Carson, Cory" <Cory.Carson@boeing.com>
CC: Ian Melven <imelven@mozilla.com>, WebAppSec WG <public-webappsec@w3.org>
Message-ID: <370C9BEB4DD6154FA963E2F79ADC6F2E27A01BE0@DEN-EXDDA-S12.corp.ebay.com>

Umm... can you elaborate?  Is this a custom policy you've added?

And perhaps I'm starting to understand the model here... we are not starting with the assumption of a full script injection, but rather the idea that there are existing libraries we want to trust that use innerHTML but do not do sufficient validation, so the proposal is to treat it sort of like we do eval() - as a source of likely error we can lock down?

-Brad

From: Eduardo' Vela [mailto:evn@google.com]
Sent: Tuesday, April 30, 2013 11:59 AM
To: Carson, Cory
Cc: Hill, Brad; Ian Melven; WebAppSec WG
Subject: Re: CSP and innerHTML

We've been using a CSP policy inserted via a DOM meta tag after load time to prevent XSS via innerHTML. It effectively makes all calls to innerHTML equivalent to toStaticHTML

Received on Tuesday, 30 April 2013 19:05:33 UTC