W3C home > Mailing lists > Public > public-webappsec@w3.org > February 2016

Re: Making it easier to deploy CSP.

From: Anne van Kesteren <annevk@annevk.nl>
Date: Wed, 17 Feb 2016 12:39:26 +0100
Message-ID: <CADnb78ji8x6gdyRDM5sFuT-QdK2tx2k44fuNyY-rB=CqTpO63w@mail.gmail.com>
To: Mike West <mkwst@google.com>
Cc: Artur Janc <aaj@google.com>, Conrad Irwin <conrad.irwin@gmail.com>, Martin Thomson <martin.thomson@gmail.com>, "public-webappsec@w3.org" <public-webappsec@w3.org>, Lukas Weichselbaum <lwe@google.com>, Michele Spagnuolo <mikispag@google.com>, Devdatta Akhawe <dev.akhawe@gmail.com>, Domenic Denicola <d@domenic.me>
On Wed, Feb 17, 2016 at 11:52 AM, Mike West <mkwst@google.com> wrote:
> I haven't checked that in Chrome, so it's entirely possible that I'm wrong
> (or our implementation is wrong! :) ), but I'm fairly certain that's how it
> works. +annevk, who will certainly have opinions.

I know innerHTML should not result in scripts running (and the way
innerHTML is defined is as parsing into a DocumentFragment that is
then appended), but following the "prepare a script" steps it seems it
would execute per the specification. But I might be missing something.
Domenic, do you know what I'm missing?

Received on Wednesday, 17 February 2016 11:39:54 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 18:54:54 UTC