lcamtuf at google.com
Wed Nov 25 10:25:41 PST 2009
> I'd rather not go this route in our initial implementation. I think
> we should target the use case of a web site receiving an untrusted
> string via cross-origin XMLHttpRequest or postMessage.
Fair enough. OTOH, this solves a very narrow problem. If we have an
implementation that at least extends to a non-JS solution without the
need to create a wholly separate mechanism should there eventually be
desire to make a difference in this area, it's a win. So, child-locked
tags appeal to me a whole lot more than a variant of .innerHTML.
More information about the webkit-dev