- From: gaz Heyes <gazheyes@gmail.com>
- Date: Tue, 15 Feb 2011 16:59:03 +0000
- To: Boris Zbarsky <bzbarsky@mit.edu>
- Cc: "sird@rckc.at" <sird@rckc.at>, public-web-security@w3.org
Received on Tuesday, 15 February 2011 17:07:01 UTC
On 15 February 2011 15:08, Boris Zbarsky <bzbarsky@mit.edu> wrote: > He sets the url to a script which has CSP enabled to provide same origin > >> restrictions >> > > Yes, but he never lets it load, so those restrictions never take effect. > > > try { >> ifr.contentDocument.documentElement.innerHTML=src; >> >> Given that you immediately do this? >> >> I think you might be confused with sdc's naming conventions, "src" >> actually refers to the source code supplied not the url of the iframe. >> > > No, I'm not confused. He sets the iframe's src to something, then without > waiting for that something to load sets the innerHTML of the about:blank > document that's in the iframe right now. Which raises the question of why > he bothered setting the iframe's src in the first place. Which is the > question I asked Apologies I must admit I didn't try the code
Received on Tuesday, 15 February 2011 17:07:01 UTC