- From: Ian Melven <imelven@mozilla.com>
- Date: Thu, 2 May 2013 10:28:17 -0700 (PDT)
- To: Jim Manico <jim.manico@owasp.org>
- Cc: WebAppSec WG <public-webappsec@w3.org>
Personally, I'm reluctant to introduce this level of granularity, I don't think CSP should move towards generic HTML sanitization/whitelisting functionality, although the desire for something like this in the web platform has come up more than once over the last couple of years :) ian ----- Original Message ----- From: "Jim Manico" <jim.manico@owasp.org> To: "Ian Melven" <imelven@mozilla.com> Cc: "WebAppSec WG" <public-webappsec@w3.org> Sent: Tuesday, April 30, 2013 1:41:23 PM Subject: Re: CSP and innerHTML Instead of CSP fully blocking innerHTML, is there a chance a policy could be set to limit what tags would be rendered? (ie: a HTML sanitization policy?) This might be a bit much to request, but I can provide examples if interested. -- Jim Manico @Manicode (808) 652-3805 On May 1, 2013, at 4:08 AM, Ian Melven <imelven@mozilla.com> wrote: > > Hi, > > recently Jonas Sicking raised the idea of having a CSP directive that would block usage of innerHTML > > the primary motivation for doing this seems to be additional defence in depth on top of CSP already > restricting script and style injections > > i'm curious what others think of this idea and looking for feedback :) > > thanks, > ian >
Received on Thursday, 2 May 2013 17:28:44 UTC