Re: CSP and innerHTML from Eduardo' Vela on 2013-05-02 (public-webappsec@w3.org from May 2013)

From: Eduardo' Vela <evn@google.com>
Date: Thu, 2 May 2013 10:31:47 -0700
To: Ian Melven <imelven@mozilla.com>
Cc: Brad Hill <bhill@paypal-inc.com>, Cory Carson <Cory.Carson@boeing.com>, WebAppSec WG <public-webappsec@w3.org>
Message-ID: <CAFswPa-_f+d8zzLSD=f_V4edWBeSvC4Y4tDZdeDWHrmsnvwmhA@mail.gmail.com>

Eric Chen was working on this. Check dominatrixss-csp.googlecode.com for
our first attempt.
On May 2, 2013 10:29 AM, "Ian Melven" <imelven@mozilla.com> wrote:

>
> would you be willing to share the policy you're using for this with the
> list for our edification ? :)
>
> cheers,
> ian
>
>
> ----- Original Message -----
> From: "Eduardo' Vela" <evn@google.com>
> To: "Cory Carson" <Cory.Carson@boeing.com>
> Cc: "Brad Hill" <bhill@paypal-inc.com>, "Ian Melven" <imelven@mozilla.com>,
> "WebAppSec WG" <public-webappsec@w3.org>
> Sent: Tuesday, April 30, 2013 11:58:36 AM
> Subject: Re: CSP and innerHTML
>
>
> We've been using a CSP policy inserted via a DOM meta tag after load time
> to prevent XSS via innerHTML. It effectively makes all calls to innerHTML
> equivalent to toStaticHTML
>

Received on Thursday, 2 May 2013 17:32:18 UTC