`node.innerHTML`'s setter can't execute script, but it can inject an `<iframe srcdoc>` that can. Let's change that: https://github.com/whatwg/html/issues/2300 ….
-
-
The issue is, that change is irrelevant outside of CSP s-d context, as innerHTML remains a DOM XSS sink.
-
: I agree with you that it doesn't attempt to lock down innerHTML. I think we can do that with an opt-in.
@arturjanc@sirdarckcat -
Realistically this would be part of CSP anyway because you need the opt-in; so being CSP-specific is okay.
End of conversation
New conversation -
-
-
I'm coming from a diff position: if it complicates the web, there needs to be a strong reason for it.
-
making some CSPs a bit better is not strong enough. But maybe, instead that change is making web simpler?
-
I.e. Maybe this can be made elegant and aligned with the web, CSP aside. Adding complexity is wrong.
-
: I've tried to argue for "alignment" https://github.com/whatwg/html/issues/2300#issuecomment-275623897 …. I'd appreciate feedback if you disagree.
@arturjanc@sirdarckcat -
yes,I'll read the whole thread.
End of conversation
New conversation -
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.