On Tue, Nov 24, 2009 at 11:21 PM, Maciej Stachowiak <[email protected]> wrote:
> If we tie it to an element or attribute, people may be tempted to just do it
> in markup, which would be insecure.
Maybe we should have a DOM API called
webkitJailChildren("no-script-for-you") on Node that prevents future
children from running script. Making it a DOM API prevents authors
from trying to turn the feature on with markup.
On Tue, Nov 24, 2009 at 11:27 PM, Michal Zalewski <[email protected]> wrote:
> <span secure_mode="$random_server_generated_nonce">
> ...unsanitized user content...
> </span secure_mode="$random_server_generated_nonce">
I'd rather not go this route in our initial implementation. I think
we should target the use case of a web site receiving an untrusted
string via cross-origin XMLHttpRequest or postMessage.
Adam
_______________________________________________
webkit-dev mailing list
[email protected]
http://lists.webkit.org/mailman/listinfo.cgi/webkit-dev
