Ok, thank you Daniel! understood :) -- Eduardo http://www.sirdarckcat.net/ Sent from Hangzhou, 33, China On Mon, Dec 14, 2009 at 1:06 PM, Daniel Veditz <dveditz@mozilla.com> wrote: > On 12/7/09 12:30 AM, sird@rckc.at wrote: > > Ian, are you aware that that will provide CSS the power to execute > > javascript cross-site? (think on XSS). > > > > Right now we can't do this on firefox anymore, because they limited it > > to same domain, but if this gets implemented then attacker.com > > <http://attacker.com> will just send the header so his script will be > > loaded. > > Mozilla isn't going to expand the use of XBL(1) bindings with or without > CORS; we'd like to kill remote XBL(1) dead, in fact. The part of the > spec you quoted, however, refers to XBL 2.0 which has a different > processing model. We will only consider loading cross-origin XBL 2 if > scripts in a binding respect the same-origin policy. >Received on Monday, 14 December 2009 05:09:20 GMT
This archive was generated by hypermail 2.2.0+W3C-0.50 : Sunday, 19 December 2010 00:16:01 GMT