W3C home > Mailing lists > Public > public-webapps@w3.org > April to June 2012

Re: Proposal: Document.parse() [AKA: Implied Context Parsing]

From: Adam Barth <w3c@adambarth.com>
Date: Tue, 5 Jun 2012 02:02:45 -0700
Message-ID: <CAJE5ia90k8627zMh0LRnH-pCKge0SFnMFhwPUO9YRQCELVEdzQ@mail.gmail.com>
To: Anne van Kesteren <annevk@annevk.nl>
Cc: Ian Hickson <ian@hixie.ch>, Rafael Weinstein <rafaelw@google.com>, Webapps WG <public-webapps@w3.org>
On Tue, Jun 5, 2012 at 12:58 AM, Anne van Kesteren <annevk@annevk.nl> wrote:
> On Tue, Jun 5, 2012 at 2:10 AM, Adam Barth <w3c@adambarth.com> wrote:
>> Doesn't e4h have the same security problems as e4x?
>
> If you mean http://code.google.com/p/doctype-mirror/wiki/ArticleE4XSecurity
> I guess that would depend on how we define it.

By the way, it occurs to me that we can solve these security problems
if we restrict the syntax to only working when executing inline or via
<script crossorigin src=...>.  If the script has appropriate CORS
headers, then it doesn't matter if we leak its contents because
they're already readable by the document executing the script.

Adam
Received on Tuesday, 5 June 2012 09:11:42 GMT

This archive was generated by hypermail 2.3.1 : Tuesday, 26 March 2013 18:49:52 GMT