W3C home > Mailing lists > Public > public-web-security@w3.org > January 2011

Re: XSS mitigation in browsers

From: Boris Zbarsky <bzbarsky@MIT.EDU>
Date: Mon, 24 Jan 2011 14:12:49 -0500
To: undisclosed-recipients:;
Message-ID: <4D3DCF31.4000407@mit.edu>
CC: "Steingruebl, Andy" <asteingruebl@paypal-inc.com>, "public-web-security@w3.org" <public-web-security@w3.org>
On Thu, Jan 20, 2011 at 4:07 PM, Steingruebl, Andy
<asteingruebl@paypal-inc.com <mailto:asteingruebl@paypal-inc.com>> wrote:

>     For example, we've never seen a case in recent history where any
>     browser will execute the embedded script in your example when the
>     page is a 302 for example

Gecko will, if the redirect fails (e.g. the Location value can't be 
parsed into a URI).

http://landfill.mozilla.org/ryl/broken-redirect.cgi has a testcase if 
you care.

-Boris
Received on Monday, 24 January 2011 19:13:22 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Monday, 24 January 2011 19:13:23 GMT