Re: Making it easier to deploy CSP.

On Wed, Feb 17, 2016 at 11:52 AM, Mike West <mkwst@google.com> wrote:
> I haven't checked that in Chrome, so it's entirely possible that I'm wrong
> (or our implementation is wrong! :) ), but I'm fairly certain that's how it
> works. +annevk, who will certainly have opinions.

I know innerHTML should not result in scripts running (and the way
innerHTML is defined is as parsing into a DocumentFragment that is
then appended), but following the "prepare a script" steps it seems it
would execute per the specification. But I might be missing something.
Domenic, do you know what I'm missing?


-- 
https://annevankesteren.nl/

Received on Wednesday, 17 February 2016 11:39:54 UTC