W3C home > Mailing lists > Public > public-webappsec@w3.org > May 2013

Re: CSP and innerHTML

From: Eduardo' Vela <evn@google.com>
Date: Thu, 2 May 2013 10:31:47 -0700
Message-ID: <CAFswPa-_f+d8zzLSD=f_V4edWBeSvC4Y4tDZdeDWHrmsnvwmhA@mail.gmail.com>
To: Ian Melven <imelven@mozilla.com>
Cc: Brad Hill <bhill@paypal-inc.com>, Cory Carson <Cory.Carson@boeing.com>, WebAppSec WG <public-webappsec@w3.org>
Eric Chen was working on this. Check dominatrixss-csp.googlecode.com for
our first attempt.
On May 2, 2013 10:29 AM, "Ian Melven" <imelven@mozilla.com> wrote:

>
> would you be willing to share the policy you're using for this with the
> list for our edification ? :)
>
> cheers,
> ian
>
>
> ----- Original Message -----
> From: "Eduardo' Vela" <evn@google.com>
> To: "Cory Carson" <Cory.Carson@boeing.com>
> Cc: "Brad Hill" <bhill@paypal-inc.com>, "Ian Melven" <imelven@mozilla.com>,
> "WebAppSec WG" <public-webappsec@w3.org>
> Sent: Tuesday, April 30, 2013 11:58:36 AM
> Subject: Re: CSP and innerHTML
>
>
> We've been using a CSP policy inserted via a DOM meta tag after load time
> to prevent XSS via innerHTML. It effectively makes all calls to innerHTML
> equivalent to toStaticHTML
>
Received on Thursday, 2 May 2013 17:32:18 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 14:54:01 UTC