W3C home > Mailing lists > Public > public-webapps@w3.org > April to June 2012

Re: Proposal: Document.parse() [AKA: Implied Context Parsing]

From: Anne van Kesteren <annevk@annevk.nl>
Date: Tue, 5 Jun 2012 13:39:24 +0200
Message-ID: <CADnb78g9fQzh0RjUuwP7HWaEjkbxQLs_OsZ_wjG1Vd99Of=k_Q@mail.gmail.com>
To: Adam Barth <w3c@adambarth.com>
Cc: Ian Hickson <ian@hixie.ch>, Rafael Weinstein <rafaelw@google.com>, Webapps WG <public-webapps@w3.org>
On Tue, Jun 5, 2012 at 11:02 AM, Adam Barth <w3c@adambarth.com> wrote:
>> On Tue, Jun 5, 2012 at 2:10 AM, Adam Barth <w3c@adambarth.com> wrote:
>> If you mean http://code.google.com/p/doctype-mirror/wiki/ArticleE4XSecurity
>> I guess that would depend on how we define it.
>
> By the way, it occurs to me that we can solve these security problems
> if we restrict the syntax to only working when executing inline or via
> <script crossorigin src=...>.  If the script has appropriate CORS
> headers, then it doesn't matter if we leak its contents because
> they're already readable by the document executing the script.

It would also have to be disabled for workers until we have DOM access there...


-- 
Anne — Opera Software
http://annevankesteren.nl/
http://www.opera.com/
Received on Tuesday, 5 June 2012 11:46:13 GMT

This archive was generated by hypermail 2.3.1 : Tuesday, 26 March 2013 18:49:52 GMT