[webkit-dev] innerStaticHTML

Adam Barth abarth at webkit.org
Wed Nov 25 06:05:15 PST 2009

On Tue, Nov 24, 2009 at 11:21 PM, Maciej Stachowiak <mjs at apple.com> wrote:
> If we tie it to an element or attribute, people may be tempted to just do it
> in markup, which would be insecure.

Maybe we should have a DOM API called
webkitJailChildren("no-script-for-you") on Node that prevents future
children from running script.  Making it a DOM API prevents authors
from trying to turn the feature on with markup.

On Tue, Nov 24, 2009 at 11:27 PM, Michal Zalewski <lcamtuf at google.com> wrote:
> <span secure_mode="$random_server_generated_nonce">
> ...unsanitized user content...
> </span secure_mode="$random_server_generated_nonce">

I'd rather not go this route in our initial implementation.  I think
we should target the use case of a web site receiving an untrusted
string via cross-origin XMLHttpRequest or postMessage.


More information about the webkit-dev mailing list