W3C home > Mailing lists > Public > public-web-security@w3.org > January 2011

Re: XSS mitigation in browsers

From: Michal Zalewski <lcamtuf@coredump.cx>
Date: Thu, 20 Jan 2011 16:02:42 -0800
Message-ID: <AANLkTinJ0L86AZbAAwTCn2st00-GJ_RN2qJtHvnoHM2M@mail.gmail.com>
To: "Steingruebl, Andy" <asteingruebl@paypal-inc.com>
Cc: Brandon Sterne <bsterne@mozilla.com>, Adam Barth <w3c@adambarth.com>, "public-web-security@w3.org" <public-web-security@w3.org>, Sid Stamm <sid@mozilla.com>, Lucas Adamski <ladamski@mozilla.com>
> Not to nitpick on this bug too much, but regardless of the underlying parsing issue, shouldn't the browser refuse to load this resource when it gets returned with a 404 error code?

Possibly, but IIRC, this does not happen today with <img>, <script>,
etc. IIRC, Any codes other than 30x and 401 (and possibly other
obscure cases) are essentially treated as 200. I suppose this is in
line with the tradition of ignoring other HTTP information in these
cases (Content-Type, Content-Disposition), although there are some
efforts to improve at least that last part.

/mz
Received on Friday, 21 January 2011 00:03:35 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Friday, 21 January 2011 00:03:36 GMT