For the e-mail app, our HTML sanitization mechanism relies on creating
documents by using document.implementation.createHTMLDocument('') so
that we can use the system HTML parser. It is my understanding that the
document should be flagged as "loaded as data" so that, regardless of
CSP, remote style files should not be loaded, nor JS scripts run. Our
sanitization pass is then able to run over the DOM tree and discard
everything that is not whitelisted.
Preliminary investigations by Steve Chung are that the CSP rules are
being applied to this data document and this is breaking the e-mail
app. https://bugzilla.mozilla.org/show_bug.cgi?id=816922 has been filed
on this issue.
So my questions for the CSP / parser gurus are:
0) Are we badly confused about the "loaded as data" flag? Note that in
order to get Gecko to parse stylesheets, we cannot just create an
orphaned DOM node in the document (document.createElement without
appendChild/insertBefore), so we are injecting HTML into the document
proper.
1) Are CSP rules expected to be applied to "loaded as data" documents?
(I am assuming that document.adoptNode and document.importNode can serve
as the firewalls to avoid evil DOM nodes sneaking in the back door.)
2) Should we be doing something different for sanitization?
Thanks,
Andrew
_______________________________________________
dev-b2g mailing list
[email protected]
https://lists.mozilla.org/listinfo/dev-b2g
