Re: XSS mitigation in browsers from Boris Zbarsky on 2011-01-24 (public-web-security@w3.org from January 2011)

From: Boris Zbarsky <bzbarsky@MIT.EDU>
Date: Mon, 24 Jan 2011 14:12:49 -0500
To: undisclosed-recipients:;
CC: "Steingruebl, Andy" <asteingruebl@paypal-inc.com>, "public-web-security@w3.org" <public-web-security@w3.org>
Message-ID: <4D3DCF31.4000407@mit.edu>

On Thu, Jan 20, 2011 at 4:07 PM, Steingruebl, Andy
<asteingruebl@paypal-inc.com <mailto:asteingruebl@paypal-inc.com>> wrote:

>     For example, we've never seen a case in recent history where any
>     browser will execute the embedded script in your example when the
>     page is a 302 for example

Gecko will, if the redirect fails (e.g. the Location value can't be 
parsed into a URI).

http://landfill.mozilla.org/ryl/broken-redirect.cgi has a testcase if 
you care.

-Boris

Received on Monday, 24 January 2011 19:13:22 UTC