[webkit-dev] innerStaticHTML
Adam Barth
abarth at webkit.org
Wed Nov 25 06:05:15 PST 2009
On Tue, Nov 24, 2009 at 11:21 PM, Maciej Stachowiak <mjs at apple.com> wrote:
> If we tie it to an element or attribute, people may be tempted to just do it
> in markup, which would be insecure.
Maybe we should have a DOM API called
webkitJailChildren("no-script-for-you") on Node that prevents future
children from running script. Making it a DOM API prevents authors
from trying to turn the feature on with markup.
On Tue, Nov 24, 2009 at 11:27 PM, Michal Zalewski <lcamtuf at google.com> wrote:
> <span secure_mode="$random_server_generated_nonce">
> ...unsanitized user content...
> </span secure_mode="$random_server_generated_nonce">
I'd rather not go this route in our initial implementation. I think
we should target the use case of a web site receiving an untrusted
string via cross-origin XMLHttpRequest or postMessage.
Adam
More information about the webkit-dev
mailing list