Re: XSS mitigation in browsers

> <http://www.thespanner.co.uk/2009/11/23/bypassing-csp-for-fun-no-profit/>

Yeah, we were also unhappy with E4X for other reasons:

http://code.google.com/p/doctype/wiki/ArticleE4XSecurity

...but E4X is not the root issue here, it just makes this vector a bit
more convincing.

/mz

Received on Thursday, 20 January 2011 23:26:53 UTC