On Jan 26, 2010, at 2:44 PM, Collin Jackson wrote: > > Since there is no mechanism preventing the attacker from making an > iframe that points at the <sandbox>'s "src" attribute, the site needs > some way of preventing the content from rendering as HTML, even though > it will normally be script in non-attack scenarios. Serving up content > with the mime type text/javascript (or application/x-javascript) works > about as well as text/html-sandboxed (same IE6 and Flash caveats). Using a JavaScript type is likely to make some or all of the content readable (and not just embeddable) cross-site. So even though it won't then be rendered as HTML, this choice of MIME type has risks. Regards, MaciejReceived on Wednesday, 27 January 2010 01:46:51 GMT
This archive was generated by hypermail 2.2.0+W3C-0.50 : Sunday, 19 December 2010 00:16:02 GMT