On Nov 25, 2009, at 6:05 AM, Adam Barth wrote:
On Tue, Nov 24, 2009 at 11:21 PM, Maciej Stachowiak <m...@apple.com>
wrote:
If we tie it to an element or attribute, people may be tempted to
just do it
in markup, which would be insecure.
Maybe we should have a DOM API called
webkitJailChildren("no-script-for-you") on Node that prevents future
children from running script. Making it a DOM API prevents authors
from trying to turn the feature on with markup.
Interesting idea. This seems potentially trickier to implement than
just innerStaticHTML, since nearly every method that mutates the DOM
will have to check jail status. innerStaticHTML could be limited in
scope to only operations that happen as part of parsing.
On Tue, Nov 24, 2009 at 11:27 PM, Michal Zalewski
<lcam...@google.com> wrote:
<span secure_mode="$random_server_generated_nonce">
...unsanitized user content...
</span secure_mode="$random_server_generated_nonce">
I'd rather not go this route in our initial implementation. I think
we should target the use case of a web site receiving an untrusted
string via cross-origin XMLHttpRequest or postMessage.
One obvious likely use case is for sites that wish to sanitize user-
generated content, for example comment sections of blogs.
innerStaticHTML is actually decent for that use case. Not quite as
nice as markup, but I'm wary of introducing parser complexity to
defend against hostile content that tries to prematurely close the jail.
Regards,
Maciej
_______________________________________________
webkit-dev mailing list
webkit-dev@lists.webkit.org
http://lists.webkit.org/mailman/listinfo.cgi/webkit-dev
