W3C home > Mailing lists > Public > public-webappsec@w3.org > May 2013

Re: CSP and innerHTML

From: Ian Melven <imelven@mozilla.com>
Date: Thu, 2 May 2013 10:29:01 -0700 (PDT)
To: Eduardo' Vela <evn@google.com>
Cc: Brad Hill <bhill@paypal-inc.com>, WebAppSec WG <public-webappsec@w3.org>, Cory Carson <Cory.Carson@boeing.com>
Message-ID: <212580483.14159095.1367515741341.JavaMail.root@mozilla.com>

would you be willing to share the policy you're using for this with the list for our edification ? :)

cheers,
ian


----- Original Message -----
From: "Eduardo' Vela" <evn@google.com>
To: "Cory Carson" <Cory.Carson@boeing.com>
Cc: "Brad Hill" <bhill@paypal-inc.com>, "Ian Melven" <imelven@mozilla.com>, "WebAppSec WG" <public-webappsec@w3.org>
Sent: Tuesday, April 30, 2013 11:58:36 AM
Subject: Re: CSP and innerHTML


We've been using a CSP policy inserted via a DOM meta tag after load time to prevent XSS via innerHTML. It effectively makes all calls to innerHTML equivalent to toStaticHTML 
Received on Thursday, 2 May 2013 17:29:27 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 14:54:01 UTC