`node.innerHTML`'s setter can't execute script, but it can inject an `<iframe srcdoc>` that can. Let's change that: https://github.com/whatwg/html/issues/2300 ….
-
-
Replying to @mikewest
is this a CSP salvage/resuscitation attempt? Or is there another reason to do this?
1 reply 0 retweets 0 likes -
Replying to @sirdarckcat
: It would make it a little more difficult to reuse nonces, wouldn't it? But I also think it's more sane than the status quo.
1 reply 0 retweets 0 likes -
Replying to @mikewest
I think this is a useful change if we are making innerHTML have no JS execution sink. If it's just a wild goose chase for CSP, meh
2 replies 0 retweets 1 like -
Replying to @sirdarckcat @mikewest
Why not both? ¯\_(ツ)_/¯ It's generally the former but you might have to swallow CSP to break event handlers & JS URIs
2 replies 0 retweets 3 likes -
The issue is, that change is irrelevant outside of CSP s-d context, as innerHTML remains a DOM XSS sink.
1 reply 1 retweet 0 likes -
Replying to @kkotowicz
: I agree with you that it doesn't attempt to lock down innerHTML. I think we can do that with an opt-in.
@arturjanc@sirdarckcat1 reply 0 retweets 0 likes
Realistically this would be part of CSP anyway because you need the opt-in; so being CSP-specific is okay.
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.