On Tue, Dec 9, 2008 at 10:06 PM, Adam Barth <w3c@adambarth.com> wrote: > On Tue, Dec 9, 2008 at 12:42 PM, Marcos Caceres > <marcosscaceres@gmail.com> wrote: >> If authors want to use "application/xml", >> then they can use <content src="somefile" type="application/xml" /> >> and hope for the best :) > > I haven't been following the widget discussion very closely, so I > apologize if this issue is understood already, but, in general, being > able to coerce an arbitrary URL to application/xml is a big security > problem. Can you point me to where the <content> tag is defined? The content element is defined here: http://dev.w3.org/2006/waf/widgets/#the-content Would certainly appreciate more details about the security threat. Kind regards, Marcos -- Marcos Caceres http://datadriven.com.auReceived on Wednesday, 10 December 2008 10:56:30 GMT
This archive was generated by hypermail 2.2.0+W3C-0.50 : Monday, 7 December 2009 10:43:01 GMT