Hey Craig,
I did open this
discussion somewhere else:
https://discourse.wicg.io/t/xss-prevention-in-the-browser-by-the-browser/3518/4
On 4/24/19 5:55 PM, joris wrote:
Yes,
in a way it would do the same job as a sanitizer,
but it is more than that.
I think that a simple sanitize function could
On Mon, Apr 22, 2019 at 6:20 PM Brian Smith wrote:
> There are three (that I can think of) sources of confusion:
>
> 1. Is there any requirement that the signature algorithm that is used to
> sign a certificate be correlated in any way to the algorithm of the public
> key of the signed
Yes,
in a way it would do the same job as a sanitizer,
but it is more than that.
I think that a simple sanitize function could
be wrong.
A function to disable JS would
be the last barrier for an XSS.
While a sanitize function
would just be another
barrier between XSS Code and
the Browsers JS
Hi Joris,
I think we should follow Anne's advice and discuss this elsewhere.
But what you're suggesting is starting to look a lot more like a browser
provided sanitiser function:
document.getElementById('xss_output').innerHTML = *sanitize*(*user_input*);
There is some discussion about it at:
Yes.
But: this would still shrink the masking/sanitizing efforts,
because you could just use a tag that nobody else should use
inside user input like:
onload="disableScripts(document.getElementById('xss_output')">
let user_input; //Load user_input without masking
let pattern
On 24/4/2019 10:18 π.μ., Matt Palmer via dev-security-policy wrote:
On Wed, Apr 24, 2019 at 09:13:31AM +0300, Dimitris Zacharopoulos via
dev-security-policy wrote:
I support this update but I am not sure if this is somehow linked with the
scope of the Mozilla Policy. Does this change mean
On Wed, Apr 24, 2019 at 09:13:31AM +0300, Dimitris Zacharopoulos via
dev-security-policy wrote:
> I support this update but I am not sure if this is somehow linked with the
> scope of the Mozilla Policy. Does this change mean that after April 1, 2020,
> any Certificate that does not have an EKU
On 24/4/2019 2:09 π.μ., Wayne Thayer via dev-security-policy wrote:
On Fri, Apr 19, 2019 at 7:12 PM Matt Palmer via dev-security-policy <
dev-security-policy@lists.mozilla.org> wrote:
On Fri, Apr 19, 2019 at 01:22:59PM -0700, Wayne Thayer via
dev-security-policy wrote:
Okay, then I propose