- From: Ian Melven <imelven@mozilla.com>
- Date: Thu, 2 May 2013 10:29:01 -0700 (PDT)
- To: Eduardo' Vela <evn@google.com>
- Cc: Brad Hill <bhill@paypal-inc.com>, WebAppSec WG <public-webappsec@w3.org>, Cory Carson <Cory.Carson@boeing.com>
would you be willing to share the policy you're using for this with the list for our edification ? :) cheers, ian ----- Original Message ----- From: "Eduardo' Vela" <evn@google.com> To: "Cory Carson" <Cory.Carson@boeing.com> Cc: "Brad Hill" <bhill@paypal-inc.com>, "Ian Melven" <imelven@mozilla.com>, "WebAppSec WG" <public-webappsec@w3.org> Sent: Tuesday, April 30, 2013 11:58:36 AM Subject: Re: CSP and innerHTML We've been using a CSP policy inserted via a DOM meta tag after load time to prevent XSS via innerHTML. It effectively makes all calls to innerHTML equivalent to toStaticHTML
Received on Thursday, 2 May 2013 17:29:27 UTC