`node.innerHTML`'s setter can't execute script, but it can inject an `<iframe srcdoc>` that can. Let's change that: https://github.com/whatwg/html/issues/2300 ….
-
-
if the API does not fullfill the needs, devs will hack around it. Also innerHTML is not a safe, hardened API.
-
these hacks are also not introduced against the devs intend, but for the opposite.
-
If I set a flag to opt my app into a mode that prevents script execution via parser-based APIs, intent is fairly obvious
-
It doesn't get much clearer than a flag that says 'stop-executing-scripts-added-via-parser-based-JS-apis'.
-
I think
@slekies point is that developers will want both things. Like what happened with ng-csp. It's a valid point IMO -
If convenience damages security and developer explicitly chose security, libraries need to conform. Simple.
-
I was thinking more about the default behavior. But if security is inconvenient, no one will adopt it.
-
FWs will want to *work* when developers "turn on" security features. So they will work around them. Simple.
- 18 more replies
New conversation -
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.