Sounds like you either want something like Content Restrictions (bug 390910) or the proposed "jail tag".
OS: Linux → All
Hardware: PC → All
(In reply to comment #0) > Even better would be to be able to surround user generated > content with <untrusted></untrusted>, but that would seem > to require making sure that the nefarious user doesn't > inject </untrusted> along with the other malicious content, > so </untrusted> would at least have to be treated strictly - > </untrusted<img src="legit.gif> must not be allowed to work, > for example. This end tag problem may be insurmountable, Actually, maybe it would be possible to implement this tag with an id, so <untrusted id="1"> doesn't close until </untrusted id="1">. Now say the user injects his own </untrusted id="1"> then there would be two end-tags with id="1" in which case the policy is enforced from the first tag until the last closing tag with that id. Problem is, I'm not sure how feasible this is, being that the whole page would have to be parsed before js could begin execution (is that a problem ?)... Maybe there could be a hint in the opening tag as to where the closing tag is meant to be, but that would add a whole bunch of complication, and this is probably not the right place to work out these details...
Bug 493857 is going to take care of this somewhat.
Status: UNCONFIRMED → RESOLVED
Closed: 10 years ago
Resolution: --- → DUPLICATE
Duplicate of bug: CSP
You need to log in before you can comment on or make changes to this bug.