W3C home > Mailing lists > Public > public-web-security@w3.org > January 2011

Re: CSP XML Data with tokens

From: gaz Heyes <gazheyes@gmail.com>
Date: Fri, 28 Jan 2011 17:16:10 +0000
Message-ID: <AANLkTi=CJXjttdadt3uth7-Qmm4OFd1i=+ZsevuL81TU@mail.gmail.com>
To: "sird@rckc.at" <sird@rckc.at>
Cc: Adam Barth <w3c@adambarth.com>, Devdatta Akhawe <dev.akhawe@gmail.com>, Michal Zalewski <lcamtuf@coredump.cx>, Brandon Sterne <bsterne@mozilla.com>, public-web-security@w3.org
On 28 January 2011 16:56, sird@rckc.at <sird@rckc.at> wrote:

> Hi!
> The attribute "seamless" will do:
> 1. If you have b{color:blue} in the doc
> 2. You have:
> <iframe sandbox="allow-same-origin" seamless="seamless"
> srcdoc="<b>xD</b>"></iframe>
> 3. You get, a blue bold "xD".

So it puts HTML content inside an attribute! How would it handle entities? I
mean if an attribute is rendering as HTML then does &#39; become '? Who
thought putting HTML in attributes was a good idea? Does that mean stuff
like <a href=javascript&amp;#58;alert(1)>test</a> I like the idea of
externally included sandboxed HTML but not inline.
Received on Friday, 28 January 2011 17:16:44 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Friday, 28 January 2011 17:16:45 GMT