Re: Time to work on a Rec track JS sandbox? was: CSP and innerHTML from Eduardo' Vela on 2013-05-02 (public-webappsec@w3.org from May 2013)

From: Eduardo' Vela <evn@google.com>
Date: Thu, 2 May 2013 11:15:41 -0700
To: "Hill, Brad" <bhill@paypal-inc.com>
Cc: "Carson, Cory" <Cory.Carson@boeing.com>, Ian Melven <imelven@mozilla.com>, WebAppSec WG <public-webappsec@w3.org>
Message-ID: <CAFswPa8b-S0vcJEFGV9oSLJyZv1_ytfg1kyWgP+-MbPBcGLatg@mail.gmail.com>

An API that allows us to play with the DOM in a programmatic way (CSP is a
directive, for example, it would be nice if there was a way to be asked if
doing X is OK).

   - This seems similar to clearing the DOM and doing a bunch of
   document.register calls. Maybe we can have a way of saying
   document.open('text/html', null) to get a document without any registered
   DOM elements?
   - One could possibly achieve this with XML and document.register maybe?

Received on Thursday, 2 May 2013 18:16:28 UTC