Eric Chen was working on this. Check dominatrixss-csp.googlecode.com for
our first attempt.
On May 2, 2013 10:29 AM, "Ian Melven" <imelven@mozilla.com> wrote:
>
> would you be willing to share the policy you're using for this with the
> list for our edification ? :)
>
> cheers,
> ian
>
>
> ----- Original Message -----
> From: "Eduardo' Vela" <evn@google.com>
> To: "Cory Carson" <Cory.Carson@boeing.com>
> Cc: "Brad Hill" <bhill@paypal-inc.com>, "Ian Melven" <imelven@mozilla.com>,
> "WebAppSec WG" <public-webappsec@w3.org>
> Sent: Tuesday, April 30, 2013 11:58:36 AM
> Subject: Re: CSP and innerHTML
>
>
> We've been using a CSP policy inserted via a DOM meta tag after load time
> to prevent XSS via innerHTML. It effectively makes all calls to innerHTML
> equivalent to toStaticHTML
>