On Fri, Sep 29, 2017 at 8:33 PM, Boris Zbarsky <bzbar...@mit.edu> wrote:
> On 9/29/17 3:32 PM, Kris Maglione wrote: > >> For instance, the following should all capture the caller principal for >> the `src` URL at call time: >> >> document.write(`<img src="http://example.com/favicon.ico";>`); >> div.innerHTML = `<img src="http://example.com/favicon.ico";>`; >> img.setAttribute("src", "http://example.com/favicon.ico";); >> img.src = "http://example.com/favicon.ico";; >> > > What is the plan to do this, concretely? Changing img.src to thread > through a principal is not too bad but doing it for setAttribute would be a > bit of a performance annoyance, and threading them through the parser would > be _quite_ annoying. > Do you _need_ to make all those ways work? I'm especially worried about the parser ones. As long as direct DOM manipulation works, and is easier than overwriting (or removing) the page's CSP, can't we just encourage people to use that mechanism? innerHTML ("Satan's candy"), in particular, is often misused and leads to XSS. It's the very last thing I'd want to give a "get out of CSP free" pass. - Dan Veditz _______________________________________________ dev-platform mailing list dev-platform@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-platform
