- From: Maciej Stachowiak <mjs@apple.com>
- Date: Sun, 31 May 2009 01:43:34 -0700
- To: Adam Barth <w3c@adambarth.com>
- Cc: Sam Ruby <rubys@intertwingly.net>, Anne van Kesteren <annevk@opera.com>, "Roy T. Fielding" <fielding@gbiv.com>, Larry Masinter <masinter@adobe.com>, HTML WG <public-html@w3.org>
On May 31, 2009, at 12:25 AM, Adam Barth wrote: > On Fri, May 29, 2009 at 4:58 AM, Sam Ruby <rubys@intertwingly.net> > wrote: >> http://status.aws.amazon.com/rss/EC2API.rss > > Based on implementation feedback from Rob and Boris, I've left the > current behavior of not sniffing feeds from text/plain. I'm not > entirely sure whether or not we'll need to sniff feeds from > text/plain. Firefox 3.5 should give us more information on this > point. > > If we do end up sniffing feeds from text/plain, Maciej's suggestion of > not granting feeds the authority of their origin seems workable. In > fact, we might be required to do this anyway because many sites are > vulnerable to cross-site scripting if we granted feeds the authority > of their origin. I don't think I made a specific suggestion. But here's some info on how Safari treats feeds: 1) We turn a feed into a generated HTML document for display. 2) We can also display a user-selected collection of feeds as one document, again displayed as HTML. 3) We don't execute any script that came from the feed in the context of generated HTML document. At the very least due to point #2 this would be insecure. 4) We don't let any web page access the contents of the generated HTML document via script. I think this prevents feeds from being used as an XSS attack vector in Safari, whether or not they are sniffed from text/plain. Regards, Maciej
Received on Sunday, 31 May 2009 08:44:21 UTC