W3C home > Mailing lists > Public > public-web-security@w3.org > January 2011

Re: XSS mitigation in browsers

From: Michal Zalewski <lcamtuf@coredump.cx>
Date: Thu, 20 Jan 2011 15:26:00 -0800
Message-ID: <AANLkTi=69T6FBRkBXN=TD=qero5aFeJGK8B7yHfTmu9y@mail.gmail.com>
To: gaz Heyes <gazheyes@gmail.com>
Cc: Brandon Sterne <bsterne@mozilla.com>, Adam Barth <w3c@adambarth.com>, public-web-security@w3.org, Sid Stamm <sid@mozilla.com>, Lucas Adamski <ladamski@mozilla.com>
> <http://www.thespanner.co.uk/2009/11/23/bypassing-csp-for-fun-no-profit/>

Yeah, we were also unhappy with E4X for other reasons:

http://code.google.com/p/doctype/wiki/ArticleE4XSecurity

...but E4X is not the root issue here, it just makes this vector a bit
more convincing.

/mz
Received on Thursday, 20 January 2011 23:26:53 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Thursday, 20 January 2011 23:26:53 GMT