W3C home > Mailing lists > Public > public-webappsec@w3.org > May 2013

Re: CSP and innerHTML

From: Ian Melven <imelven@mozilla.com>
Date: Thu, 2 May 2013 10:28:17 -0700 (PDT)
To: Jim Manico <jim.manico@owasp.org>
Cc: WebAppSec WG <public-webappsec@w3.org>
Message-ID: <1646159774.14158988.1367515697542.JavaMail.root@mozilla.com>

Personally, I'm reluctant to introduce this level of granularity, I don't think
CSP should move towards generic HTML sanitization/whitelisting functionality,
although the desire for something like this in the web platform has come up more
than once over the last couple of years :)


----- Original Message -----
From: "Jim Manico" <jim.manico@owasp.org>
To: "Ian Melven" <imelven@mozilla.com>
Cc: "WebAppSec WG" <public-webappsec@w3.org>
Sent: Tuesday, April 30, 2013 1:41:23 PM
Subject: Re: CSP and innerHTML

Instead of CSP fully blocking innerHTML, is there a chance a policy
could be set to limit what tags would be rendered? (ie: a HTML
sanitization policy?)

This might be a bit much to request, but I can provide examples if interested.

Jim Manico
(808) 652-3805

On May 1, 2013, at 4:08 AM, Ian Melven <imelven@mozilla.com> wrote:

> Hi,
> recently Jonas Sicking raised the idea of having a CSP directive that would block usage of innerHTML
> the primary motivation for doing this seems to be additional defence in depth on top of CSP already
> restricting script and style injections
> i'm curious what others think of this idea and looking for feedback :)
> thanks,
> ian
Received on Thursday, 2 May 2013 17:28:44 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 18:54:33 UTC