[Bug 14502] Why do we want to taint on style set and not on style use? from bugzilla@jessica.w3.org on 2011-10-29 (public-html-bugzilla@w3.org from October 2011)

From: <bugzilla@jessica.w3.org>
Date: Sat, 29 Oct 2011 01:38:28 +0000
To: public-html-bugzilla@w3.org
Message-Id: <E1RJxsS-0005xb-AA@jessica.w3.org>

http://www.w3.org/Bugs/Public/show_bug.cgi?id=14502

--- Comment #11 from Adam Barth <w3c@adambarth.com> 2011-10-29 01:38:27 UTC ---
> If I have a site at
> foo.bar.com and it sets document.domain to bar.com, does that allow it to read
> image data from bar.com?

I hope not!  That would be a security vulnerability.  :)

IMHO, we should just pretend document.domain doesn't exist for all of these
modern security checks.

-- 
Configure bugmail: http://www.w3.org/Bugs/Public/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the QA contact for the bug.

Received on Saturday, 29 October 2011 01:38:30 UTC