On 10/2/17 10:50 AM, Daniel Veditz wrote:
As long as direct DOM manipulation works, and is easier
than overwriting (or removing) the page's CSP, can't we just encourage
people to use that mechanism?
The fact is, direct DOM manipulation with no parser involved is really
annoying to use. Compare these two snippets:
var div = document.createElement("div");
div.id = "foo";
div.className = "bar";
parent.prepend(div);
and:
parent.prepend("<div id=foo class=bar>");
That said, I am sympathetic to the concern about innerHTML in
particular. Specifically, if an extension does:
parent.innerHTML += "<div id=foo class=bar>";
instead of doing:
parent.append("<div id=foo class=bar>");
and we exempt the former from CSP, then the extension just introduced
XSS into the page without even noticing...
So to be honest, my gut feeling is that we should not try to make
innerHTML or document.write() work here, but it would be nice to make
the ParentNode.append/prepend methods and maybe createContextualFragment
work...
-Boris
_______________________________________________
dev-platform mailing list
[email protected]
https://lists.mozilla.org/listinfo/dev-platform
