- From: gaz Heyes <gazheyes@gmail.com>
- Date: Tue, 15 Feb 2011 16:59:03 +0000
- To: Boris Zbarsky <bzbarsky@mit.edu>
- Cc: "sird@rckc.at" <sird@rckc.at>, public-web-security@w3.org
Received on Tuesday, 15 February 2011 17:07:01 UTC
On 15 February 2011 15:08, Boris Zbarsky <bzbarsky@mit.edu> wrote:
> He sets the url to a script which has CSP enabled to provide same origin
>
>> restrictions
>>
>
> Yes, but he never lets it load, so those restrictions never take effect.
>
>
> try {
>> ifr.contentDocument.documentElement.innerHTML=src;
>>
>> Given that you immediately do this?
>>
>> I think you might be confused with sdc's naming conventions, "src"
>> actually refers to the source code supplied not the url of the iframe.
>>
>
> No, I'm not confused. He sets the iframe's src to something, then without
> waiting for that something to load sets the innerHTML of the about:blank
> document that's in the iframe right now. Which raises the question of why
> he bothered setting the iframe's src in the first place. Which is the
> question I asked
Apologies I must admit I didn't try the code
Received on Tuesday, 15 February 2011 17:07:01 UTC