Re: CSP and innerHTML

Personally, I'm reluctant to introduce this level of granularity, I don't think
CSP should move towards generic HTML sanitization/whitelisting functionality,
although the desire for something like this in the web platform has come up more
than once over the last couple of years :)

ian


----- Original Message -----
From: "Jim Manico" <jim.manico@owasp.org>
To: "Ian Melven" <imelven@mozilla.com>
Cc: "WebAppSec WG" <public-webappsec@w3.org>
Sent: Tuesday, April 30, 2013 1:41:23 PM
Subject: Re: CSP and innerHTML

Instead of CSP fully blocking innerHTML, is there a chance a policy
could be set to limit what tags would be rendered? (ie: a HTML
sanitization policy?)

This might be a bit much to request, but I can provide examples if interested.

--
Jim Manico
@Manicode
(808) 652-3805

On May 1, 2013, at 4:08 AM, Ian Melven <imelven@mozilla.com> wrote:

>
> Hi,
>
> recently Jonas Sicking raised the idea of having a CSP directive that would block usage of innerHTML
>
> the primary motivation for doing this seems to be additional defence in depth on top of CSP already
> restricting script and style injections
>
> i'm curious what others think of this idea and looking for feedback :)
>
> thanks,
> ian
>

Received on Thursday, 2 May 2013 17:28:44 UTC