Krzysztof Kotowicz
Krzysztof Kotowicz
_From [[email protected]](https://code.google.com/u/[email protected]/) on August 19, 2014 12:24:19_ **Cc:** [email protected]
I don't think it works now. EncryptedMessage.decrypt asks for a single key from the KeyRing based on KeyID, so we don't iterate over all keys. https://github.com/google/end-to-end/blob/3288abc94b3c7b9adc1258a427f779dd584ff50e/src/javascript/crypto/e2e/openpgp/contextimpl.js#L325
Rebased now that #805 is merged.
From my pov this is ready for a review, see discussion in #789.
Friendly ping, this seems to be the most efficient way we can prevent [attribute node bypasses](https://github.com/w3c/webappsec-trusted-types/issues/47) in Trusted Types by rejecting the value without potentially calling the default policy on...
> This sounds good overall, except that I'd wait with introducing `setInnerHTML` until we have a standardized sanitizer (see https://github.com/WICG/sanitizer-api) as not using the sanitizer should be an opt-out (labeled...
@annevk I like the safe-by-default aspect of it and how it enables incorporating sanitizer later. However, it still adds a new DOM XSS sink to the platform, it's just one...
My issue is with the introduction of a new sink, a variant of which needs to be unsafe to support DSD case (+ we don't actually have a way of...
Are the values to compare separate TT instances wrapping the same value? In that case, special casing TTs and unwrapping the string for change detection would probably help.
> Sanitizer API [...] can be extended to other languages Not sure what you mean. Sanitizer API is tightly coupled with DOM (for example, it adds a function to DOM's...