[whatwg] Which mechanisms does HTML5 have in place to combat XSS attacks?

Ian Hickson ian at hixie.ch
Tue Dec 7 17:12:29 PST 2010


On Tue, 14 Sep 2010, zhao Matt wrote:
>
> I know Mozilla and Microsoft have provided some ways (respectively, CSP, XSS
> filter) to mitigate or detect XSS attacks.
> so I wonder whether HTML5 will present an approach to fight this attacks?

"XSS" is a pretty broad range of attacks. HTML has a number of features 
designed to prevent XSS attacks, for example the origin security policy, 
the <iframe sandbox> feature, and the text/html-sandboxed MIME type. 
Others have also been proposed, such as a syntax to embed text as base64 
data safely.

HTH. If you have any specific questions please don't hesitate to raise 
them.

-- 
Ian Hickson               U+1047E                )\._.,--....,'``.    fL
http://ln.hixie.ch/       U+263A                /,   _.. \   _\  ;`._ ,.
Things that are impossible just take longer.   `._.-(,_..'--(,_..'`-.;.'


More information about the whatwg mailing list