W3C home > Mailing lists > Public > public-webappsec@w3.org > May 2013

Re: CSP and innerHTML

From: Ian Melven <imelven@mozilla.com>
Date: Thu, 2 May 2013 10:28:17 -0700 (PDT)
To: Jim Manico <jim.manico@owasp.org>
Cc: WebAppSec WG <public-webappsec@w3.org>
Message-ID: <1646159774.14158988.1367515697542.JavaMail.root@mozilla.com>

Personally, I'm reluctant to introduce this level of granularity, I don't think
CSP should move towards generic HTML sanitization/whitelisting functionality,
although the desire for something like this in the web platform has come up more
than once over the last couple of years :)

ian


----- Original Message -----
From: "Jim Manico" <jim.manico@owasp.org>
To: "Ian Melven" <imelven@mozilla.com>
Cc: "WebAppSec WG" <public-webappsec@w3.org>
Sent: Tuesday, April 30, 2013 1:41:23 PM
Subject: Re: CSP and innerHTML

Instead of CSP fully blocking innerHTML, is there a chance a policy
could be set to limit what tags would be rendered? (ie: a HTML
sanitization policy?)

This might be a bit much to request, but I can provide examples if interested.

--
Jim Manico
@Manicode
(808) 652-3805

On May 1, 2013, at 4:08 AM, Ian Melven <imelven@mozilla.com> wrote:

>
> Hi,
>
> recently Jonas Sicking raised the idea of having a CSP directive that would block usage of innerHTML
>
> the primary motivation for doing this seems to be additional defence in depth on top of CSP already
> restricting script and style injections
>
> i'm curious what others think of this idea and looking for feedback :)
>
> thanks,
> ian
>
Received on Thursday, 2 May 2013 17:28:44 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 14:54:01 UTC