W3C home > Mailing lists > Public > public-webappsec@w3.org > April 2013

RE: CSP and innerHTML

From: Hill, Brad <bhill@paypal-inc.com>
Date: Tue, 30 Apr 2013 19:04:24 +0000
To: Eduardo' Vela <evn@google.com>, "Carson, Cory" <Cory.Carson@boeing.com>
CC: Ian Melven <imelven@mozilla.com>, WebAppSec WG <public-webappsec@w3.org>
Message-ID: <370C9BEB4DD6154FA963E2F79ADC6F2E27A01BE0@DEN-EXDDA-S12.corp.ebay.com>
Umm... can you elaborate?  Is this a custom policy you've added?

And perhaps I'm starting to understand the model here... we are not starting with the assumption of a full script injection, but rather the idea that there are existing libraries we want to trust that use innerHTML but do not do sufficient validation, so the proposal is to treat it sort of like we do eval() - as a source of likely error we can lock down?

-Brad

From: Eduardo' Vela [mailto:evn@google.com]
Sent: Tuesday, April 30, 2013 11:59 AM
To: Carson, Cory
Cc: Hill, Brad; Ian Melven; WebAppSec WG
Subject: Re: CSP and innerHTML

We've been using a CSP policy inserted via a DOM meta tag after load time to prevent XSS via innerHTML. It effectively makes all calls to innerHTML equivalent to toStaticHTML
Received on Tuesday, 30 April 2013 19:05:33 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 14:54:01 UTC